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(54) Information processing and data storage 

(57) In a registered card issuing information supply 
device (131), the registered card issuing information is 
encrypted, and the encrypted registered card issuing in- 
formation thus obtained is transmitted through a trans- 
mission medium (121 ) to a registered card issuing ma- 
chine (101). In the registered card issuing machine 
(101 ), the encrypted registered card issuing information 
from the registered card issuing information supply de- 



vice (131) is received and registered. When the regis- 
tered card issuing machine (101) is allowed to commu- 
nicate with the IC card (2), it transmits the encrypted 
registered card issuing information thus registered to 
the IC card (2). In the IC card (2), the encrypted regis- 
tered card issuing information from the registered card 
issuing machine (101) is decoded, and the registered 
card issuing information thus obtained is stored. 
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Description 

BACKGROUND OF THE INVENTION 
1. Field of the Invention 

roOOH The present invention relatestoan information 
Processing device, a data storage device, a data stor- 
5? SI an informal- processing method, and an 
information processing card. 
[00021 Embodiments of the .nvenUon relate to an m 
ama ion processing device and an informal 
method which can safely adc I an d ^hange 
management information to manage a memory con 
S in an IC (Integrated Circuit) card, for example 
without withdrawing the IC card. 



2. Description ol the Related Art 

[0003] For example, an IC card (smart card) which is 
e7 P ec ed to be used in an electron, money sy tern a 
security system, etc. has been developed. The IC card 
has a CPU for performing various processing and a 
Memory for storing data necessary for the process n 
and data transmission/reception to/from the , IC car is 
performed while it is electrically connected to a prede 
elned reader/writer (RAW) or under . non-comae 
state bv using electromagnetic wave. An IC card wnicn 
peTorms data transmission/reception with RAW under 

erally supplied with necessary power through electro- 
:oSr«"- S e^erethe.Ccardisusedinthee,ec- 

Smoneysystem, the security system or the ke.se- 
c^rdateLsecuritysuc^asprevent^torgery 

etc. are important. In general, an access to an IC card 
is allowed by a key gfcen from the manager <^e ator 
of a system. That is, restriction is .mposed on an access 
m an IC card by a person having no key. 
OO^sf Furthe", the security is defined h ^ <W*J 
^.Organization For Standa^^ 
nes the standardization of contact type IC car* . and 
according to it, by locking DF (Dedicated File) care- 
ss toac^orlo^. an access to OF b^9" 

■** 01 the DF w EF (Bementa,y F,,e) 

^:£££SZ«** -e been issued 

by managers or makers of the IC cards, and a so-called 
clrdtssuing work of newly adding each IC card wrth a 
fife in which data for supplying new services are held or 
changing a key necessary for data access ,s generaHy 
caS out by them in facilities or the like for wh,ch the 

SfSSJSl an issuer o, ,C cards pe, 
Zs a primary issuing work as shown .n F,g. 1 and «- 

ta read/write operation cannot be performed) to a reg 



istered card issuing dealer who performs a registered 
card issuing work. The registered card issumg dealer 
oerto ms the registered card issuing work (secondary 

s servicesthrou^theiccartcmuwt^a^^ 
is, the registered card issuing dealer keeps >n each IC 
card a storage area to be used by the manage. #1 (the 
amaof the manager #1 ), and writes a key necessary o 
access the storage area and other mformat,on in each 

,o SdHeretheregisteredcardissuingworkiscarned 

out a a Piece for which the security is highly managed 

the like (hereinafter referred to as "proper and safe 
See") Further, in Fig. 1, the registered card issuing 
,s P d ea,erandthemanager#, are frequent* the same per- 
rons] ThelCcardswhichhavebeensubjectedtothe 
egistered card issuing work are put on the market and 
Sbuted to users. The IC cards are used to supply 
20 Sees by the manager « 1 . That is, users can use the 
IC cards as electronic passes or purses. 
0<S] WhenthelCcards^,chareputcothemarket 

as described above are multifunctional IC cards and a 
^Sf#?other,hanthemana g er#t ^tosuppty 

2B ^service through the multifunctional IC cards, the reg- 
tt e rcardissuingdealertemporarilywithdrawsthelC 

^ which have been put on the market as shown in 
Fig. 2. The registered card issuing dealer V"*™**" 
registered card issuing work so that the manager #2 can 
so usete IC cards. That is, the registered card issuing 
dealer keeps a storage area to be used by the manager 
S the are'rof the manager #2) in each IC card and 
further writes in each IC card a key which is necessary 
ortoeLager #2 to accessthe storage area, and loth- 
35 eriSoraS.Thereaner.thelCcardswhichhavebeen 
subtStotheregisteredcardissuingworkareputon 

the market again. d 
[00101 For example, a key written in an IC card 
Kugh the registered card issuing work is informaton 

40 Ichis important in security of the 

undesirablethatsuch information ,sd,str,buedopbces 

such as the market, etc. in which un,ust «^" u *" 
topping, tampering, etc. are carried out w,t , h gh prob- 
abiHty and tor which the security management is not car 
4S Sdlt(hereina.terre.erredtoas-improperandunsae 
Tees") Therefore, the IC cards are withdrawn from the 
Set arid the registered card issuing work is earned 
out at a safe place as described above 
room Accordingly, the IC cards must be withdrawn 
so K \imeThe reg' Led card issuing work is wished to 
be carried out, and this is cumbersome. 



^ tMt „ovnCTHF INVENTION 
ss [0012] An embodiment of the present invention has 
teen implemented in viewof such a srtuat.cn, and seeks 
to enable a key necessary for access to a storage area 
Tdofh rinformationtobe safe* written even at pfcees 
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which are not safe on security. 
[0013] According to an aspect of the present inven- 
tion, there is provided an information processing device 
which is characterized by comprising an encrypting 
means for encrypting management information contain- 
ing a key necessary to access a storage area of data 
storage means in order to manage the storage area of 
the data storage means. The encrypting means en- 
crypts the management information containing the key 
necessary to access the storage area in order to man- 
age the storage area of the data storage means. 
[0014] According to another aspect of the present in- 
vention, there is provided an information processing 
method which is characterized by comprising an en- 
crypting step of encrypting management information 
containing a key necessary to access a storage area of 
data storage means in order to manage the storage area 
of the data storage means. The management informa- 
tion containing the key necessary to access the storage 
area in order to manage the storage area of the data 
storage means is encrypted. 

[001 5] According to a further aspect of the present in- 
vention, there is provided an information processing de- 
vice which is characterized by comprising a decoding 
means for decoding encrypted management informa- 
tion which contains a key necessary to access a storage 
area of data storage means in order to manage the stor- 
age area- of the data storage means. The decoding 
means decodes the encrypted management informa- 
tion which contains the key necessary to access the 
storage area in order to manage the storage area of the 
data storage means. 

[0016] According to a stiil further aspect of the present 
invention, .there is provided an information processing 
method which is characterized by comprising a decod- 
ing step of decoding encrypted management informa- 
tion which contains a key necessary to access a storage 
area of data storage means in order to manage the stor- 
age area of the data storage means. The encrypted 
management information which contains the key neces- 
sary to access the storage area in order to manage the 
storage area of the data storage means is decoded. 
[001 7] An information processing device of a first as- 
pect of the present invention is an information process- 
ing device for performing processing to supply manage- 
ment information to a data storage device which con- 
tains data-storage means for storing data (for example, 
EEPROM 66 shown in Fig. 5 or the like), management 
information storage means for storing management in- 
formation containing a key necessary to access a stor- 
age area of data storage means in order to manage the 
storage area of the data storage means (for example, 
EEPROM 66 shown in Fig. 5 or the like) and manage- 
ment means for managing the data storage means (for 
example, a sequencer 91 shown in Fig. 5 or the like), 
and it is provided with forming means for forming the 
management information (for example, a processing 
step S21 of a program shown in Fig. 30 or the like), and 



encrypting means for encrypting the management infor- 
mation (for example, a processing step S23 of a pro- 
gram shown in Fig. 30 or the like). 
[0018] The above information processing device fur- 

s ther includes operating means for operating a check 
code to check whether the management information is 
tampered or not (for example, a processing step S22 of 
the program shown in Fig. 30 or the like), and the en- 
crypting means encrypts the check code as well as the 

10 management information. 

[0019] The above information processing device fur- 
ther includes transmission means for transmitting the 
encrypted management information to a data storage 
device through a predetermined transmission medium 

'5 (for example, a processing step S24 of the program 
shown in Fig. 30 or the like). 

[0020] An information processing device of the third 
aspect of the present invention is an information 
processing device having data storage means for stor- 
20 ing data (for example, EEPROM 66 shown in Fig. 5 or 
the like), management information storage means for 
storing management information containing a key nec- 
essary to access a storage area of data storage means 
in order to manage the storage area of the data storage 
25 means (for example, EEPROM 66 shown in Fig. 5 or the 
like) and management means for managing the data 
storage means (for example, a sequencer 91 shown in 
Fig. 5 or the like), and it includes reception means for 
receiving the encrypted management information (for 
30 example, an interface unit 61 shown in Fig. 5 or the like), 
decoding means for decoding the encrypted manage- 
ment information (for example, a processing step S32 
of a program shown in Fig. 32), and storage control 
means for storing the management information into 
35 management information storage means (for example, 
a processing step S4 of a program shown in Fig. 9, a 
processing step S14 of a program shown in Fig. 10 or 
the like). 

[0021] The information processing device further in- 
40 eludes check means for checking whether the manage- 
ment information is tampered or not (for example, a 
processing step S33 of the program shown in Fig. 32 or 
the like). 

[0022] The invention is not limited to the examples in 
45 the foregoing aspects. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0023] For a better understanding of the present in- 
50 vention, reference will now be made by way of example 
to the accompanying drawings in which: 

Fig. 1 is a diagram showing the distribution of con- 
ventional IC cards; 
55 Fig. 2 is a diagram showing the distribution of con- 
ventional IC cards; 

Fig. 3 is a block diagram showing the construction 
of an embodiment of a card system using an em- 
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bodiment of an IC card to which the present inven- 
tion is applied; 

Fig. 4 is a block diagram showing the construction 
of a reader/writer 1 of Fig. 3; 
Fig. 5 is a block diagram showing the construction 
of the IC card 2 of Fig. 3; 

Fig. 6 is a diagram showing a logical format of ccr- 
ROM 66 of Fig. 5; 

Fig. 7 is a diagram showing the directory structure 
of EEPROM 66 of Fig. 5; 

Fig. 8 is a diagram showing a process of construct- 
ing the layer structure of Fig. 7; 
Fig. 9 is a flowchart showing area forming process- 

Rg. 10 is a flowchart showing service forming 

processing; . 
Fig. 11 is a diagram showing key reception/delivery 

between managers; 

Fig. 1 2 is a diagram showing information necessary 
when a manager A supplies services; 
Fig 1 3 is a diagram showing the processing of the 
IC card 2 when the manager A supplies services; 
Fig 1 4 is a diagram showing a certification method 
of the IC card 2 by a service supply apparatus 111; 
Fig 1 5 is a diagram showing the certification meth- 
od of the service supply apparatus 111 by the IC 
card 2; 

Fig. 16 is a diagram showing information necessary 

when a manager B2 supplies services; 

Fig 17 is a diagram showing the processing of the 

IC card 2 when the manager B2 supplies services; 

Fig. 1 8 is a diagram showing information necessary 

when a manager C supplies services; 

Fig 19 is a diagram showing the processing of the 

IC card 2 when the manager C supplies services; 
Fig. 20 is a diagram showing information necessary 
when the manager C supplies services; 
Fig 21 is a diagram showing the processing of the 
IC card 2 when the manager C supplies services; 
Fiq 22 is a diagram showing a method of generat- 
ing a first access key and a second access key used 
for mutual certification; 

Fig. 23 is a diagram showing the layer structure of 
EEPROM 66; 

Fig. 24 is a diagram showing key reception/delivery 
between managers; 

Fig. 25 is a diagram showing common use of serv- 
ices (data) between managers; 
Fig. 26 is a diagram showing the layer structure of 
EEPROM 66; 

Fig. 27 is a diagram showing key reception/delrvery 
between managers; 

Fig. 28 is a diagram illustrating, by way of example, 
the principle of the present invention; 
Fig 29 is a block diagram showing the construction 
of an embodiment of a registered card issuing sys- 
tem to which the present invention is applied; 
Fig 30 is a flowchart showing the registered card 



issuing information supply processing; 
Fig. 31 is a diagram showing the format of encrypt- 
ed registered card issuing information; and 
Fig. 32 is a flowchart showing decoding processing. 

DETAILED DESCRIPTION OF THE ILLUSTRA TIVE 
FMBQDIMENTS 



[0024] Fig 3 shows the construction of an embodi- 
10 ment of a non-contact card system using an IC card to 
which an embodiment of the present invention isapphed 
(the system means a logical assembly of plural devices, 
and it is not dependent on whether the respective de- 
vices are located in the same housing or not). 
is [00251 The non-contact card system comprises R/W 
1 an IC card 2 and a controller 3, and data transmission/ 
reception is carried out between the R/W1 and the » J 
card 2 under non-contact state by using electromagnetic 
wave 

20 ro0261 Thai is, FVW1 transmits a predetermined com- 
mand to the IC card 2, and the IC card 2 receives the 
command to perform the processing corresponding to 
the command. The IC card 2 transmits the response da- 
ta corresponding to the processing result to FVW 1 . 
25 [0027] FVW 1 is connected to the controller 3 through 
a predetermined interface (which is conformed with the 
standard of RS-485A or the like), and the controller 3 
supplies a predetermined control signal to FVW1 so that 
FVW 1 performs predetermined processing. 
30 [0028] Fig. 4 shows the construction of FVW 1 of Fig. 
3 

[0029] In IC 21, DPU (Data Processing Unit) 31 for 
performing data processing, SPU (Signal P^^ss.ng 
Unit) 32 for processing data to be transmitted to the IC 
ss card 2 and data received from the IC card 2, SCC (Serial 
communication Controller) 33 which communicates with 

the controller 3, and a memory unit 34 comprising a 
ROM portion 41 for beforehand storing information re- 
quired to process date and a RAM portion 42 for tem- 
40 porarily storing data during processing are connected to 
one another through a bus. 

[0030] Further, a flash memory 22 for storing prede- 
termined data is also connected to the bus. 
[0031] DPU 31 outputs to SPU 32 a command to be 
45 transmitted to the IC card 2, and receives from SPU 32 
response data received from the IC card 2. 
[0032] After predetermined processing (lor example. 
BPSK (BiPhase Shift Keying) modulation (coding to 
Manchester code) or the like) is carried out on the corn- 
so mand to be transmitted to the IC card 2. SPU 32 outputs 
it to a modulation circuit 23, and also it receives from a 
demodulation circuit 25 the response data transmitted 
by the IC card 2 to perform predetermined processing 
on the data. 

ss [0033] The modulation circuit 23 performs ASK(Am- 
plitude Shift Keying) modulation on carrier wave haying 
a predetermined frequency (for example, 13.56MHz) 
suppliedtrom an oscillator (OSC) 26 on the basis of data 
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supplied from SPU 32, and outputs the modulation wave 
thus generated as electromagnetic wave through an an- 
tenna 27 to the IC card 2. At this time, the modulation 
circuit 23 is designed so that the modulation factor is set 
to be less than 1 and the ASK modulation is performed, s 
whereby the maximum amplitude of the modulation 
wave is prevented from being reduced to zero even at 
low level of the data. 

[0034] The demodulation circuit 25 demodulates the 
modulation wave (ASK-modulated wave) received 
through the antenna 27, and outputs the data thus de- 
modulated to SPU 32. 

[0035] Fig. 5 shows the construction of the IC card 2 
of Fig. 3. 

[0036] In the IC card 2, IC 51 receives the modulation 
wave transmitted from R/W 1 through the antenna 53. 
A capacitor 52 constitutes an LC circuit together with the 
antenna 53, and it is designed so as to be tuned (oscil- 
lated) with electromagnetic wave having a predeter- 
mined frequency (carrier frequency). 
[0037] In IC 51, an RF interface unit 61 detects and 
demodulates the modulation wave (ASK-modulated 
wave) received through the antenna 53 by an ASK de- 
modulator 81, and outputs the data thus demodulated 
to a BPSK demodulation circuit 62 and a PLL (Phase 
Locked Loop) unit 63. In addition, it stabilizes the signal 
detected in an ASK demodulator 81 by a voltage regu- 
lator 82, and supplies it as a DC power to each circuit. 
[0038] The RF interface unit 61 oscillates a signal 
having the same frequency as the clock frequency of 
the data in an oscillation circuit 83, and outputs the sig- 
nal "to the PLL unit 63. 

[0039] In the RF interface unit 61 , the load of the an- 
tenna: 53 .serving as the power source of the IC card 2 
is varied in connection with data supplied through the 
BPSK modulation circuit 68 from the operation unit 64 
in the ASK modulator 81 (for example, a prescribed 
switching element is switched on/off in connection with 
data and only when the switching element is switched 
on, a predetermined load is connected to the antenna 
53 in parallel), whereby the modulation wave received 
through the antenna 53 is subjected to ASK modulation 
(when the data are transmitted from the IC card 2 (the 
IC card 2 is made to transmit data), R/W 1 sets the max- 
imum amplitude of the modulation wave output there- 
from to a fixed value, and this modulation wave is sub- 
jected to the ASK modulation on the basis of the varia- 
tion of the Joad of the antenna 53), and transmits the 
modulation component thereof through the antenna 53 
to R/W 1 (varies the terminal voltage of the antenna 27 
of R/W 1). 

[0040] On the basis of the data supplied from the ASK 
demodulator 81 , the PLL unit 63 generates a clock sig- 
nal which is in synchronism with the data, and outputs 
the clock signal to the BPSK demodulation circuit 62 and 
the BPSK modulation circuit 68. 
[0041] When the data demodulated in the ASK de- 
modulator 81 are BPSK-modulated, the BPSK demod- 



ulation circuit 62 demodulates the data (decodes Man- 
chester code) according to the clock signal supplied 
from the PLL unit 63 and outputs the data thus demod- 
ulated to the operation unit 64. 
[0042] When the data supplied from the BPSK de- 
modulation circuit 62 are encrypted, the operation unit 
64 decodes the data in an encrypt/decode unit 92 : and 
then processes the data in a sequencer 91. When the 
data are not encrypted, the data supplied from the BPSK 
demodulation circuit 62 are directly supplied to the se- 
quencer 91, not passing through the encrypt/decode 
unit 92. 

[0043] The sequencer 91 is designed to perform the 
processing corresponding to data as a command to be 
supplied thereto. That is, for example, the sequencer 91 
performs data writing and reading operation into/from 
EE PROM 66 and other necessary operation process- 
ing. Further, the sequencer 91 performs an access con- 
trol to EEPROM 66 on the basis of certification and also 
manages EEPROM 66. 

[0044] A parity operator 93 of the operation unit 64 
calculates a Reed Solomon code as a parity on the basis 
of the data stored in EEPROM 66. 
[0045] After the operation unit 64 performs predeter- 
mined processing in the sequencer 91 , it outputs the re- 
sponse data corresponding to the processing (the data 
to be transmitted to R/W 1 ) to the BPSK modulation cir- 
cuit 68. 

[0046] The BPSK modulation circuit 68 subjects the 
data supplied from the operation unit 64 to BPSK mod- 
ulation, and outputs the data thus modulated to the ASK 
modulator 84 of the RF interlace unit 61 . 
[0047] ROM (Read Only Memory) 65 stores a pro- 
gram with which the sequencer 91 performs its process- 
ing, and other necessary data. RAM 67 temporarily 
stores data in the course of the processing of the se- 
quencer 91. 

[0048] EEPROM (Electrically Erasable and Program- 
mable ROM) 66 is a non -volatile memory, and it contin- 
ues to store data even when the IC card 2 finishes the 
communication with R/W 1 and power supply is 
stopped. 

[0049] Next, the data transmission/reception 
processing between R/W 1 and the IC card 2 will be de- 
scribed. 

[0050] R/W1 (Fig. 4) radiates predetermined electro- 
magnetic wave from the antenna 27, monitors the load 
state of the antenna 27 and waits until the variation of 
the load state due to approach of the IC card 2 is de- 
tected. R/W 1 may perform processing (polling) in which 
the electromagnetic wave which is ASK-modutated on 
the basis of data of a predetermined short pattern is ra- 
diated to call to the IC card 2 until a response is obtained 
from the IC card 2 within a fixed time. 
[0051] When the approach of the IC card 2 is detected 
in R/W 1 , SPU 32 of R/W 1 subjects rectangular wave 
of a predetermined frequency (for example, a frequency 
which is twice as high as the clock frequency of the data) 
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as carrier wave, performs it to BPSK modulation on the 
basis of data to be transmitted to the IC card 2 (the com- 
mand corresponding to processing to be executed by 
the IC card 2, write-in data to be written into the IC card 
2 etc ) and outputs the modulation wave (BPSK mod- 
ulation signal) thus generated (Manchester code) to the 
modulation circuit 23. 

[0052] In the BPSK modulation processing, the data 
can be associated with the variation of the phase of the 
modulation wave by using differential conversion, and 
in this case, the BPSK modulation signal can be demod- 
ulated to the original data even when it is inverted 
Therefore, it is unnecessary to consider the polarity of 
the modulation wave in the demodulation operation. 
f00531 On the basis of the BPSK modulation signal 
input the modulation circuit 23 subjects predetermined 
carrier wave to the ASK modulation at a modulation fac- 
tor (=maximum amplitude of data signal/maximum am- 
plitude of carrier wave) which is less than 1 (for exam- 
ple 0 1) and transmits the modulation wave (ASK 
modulation wave) thus generated through the antenna 
27 to the IC card 2. 

[00541 When no transmission is carried out, the mod- 
ulation circuit 23 generates the modulation wave, for ex- 
ample, at high level of two levels (high level and low lev- 
el) of digital signals. 

roOSS] In the IC card 2 (Fig. 5), a part of electromag- 
netic wave radiated from the antenna 27 of R/W 1 is con- 
verted to an electrical signal in an LC circuit comprising 
an antenna 53 and a capacitor 52, and the electrical sig- 
nal (modulation wave) is output to the RF interface 61 
of IC 51 The ASK demodulator 81 of the RF interface 
61 detects an envelope by rectifying and smoothening 
the modulation wave and supplies the signal thus gen- 
erated to the voltage regulator 82. In addition, it sup- 
presses the DC component of the signal to extract the 
data signal, and outputs the data signal to the BPSK de- 
modulation circuit 62 and the PLL unit 63. 
[0056] At this time, the terminal voltage V 0 of the an- 
tenna 53 is as follows. 

V 0 = V 10 (1 + k X Vs(t)) cos(eot) 



However, V 10 cos(o>t) represents carrier wave, k repre- 
sents the modulation factor and Vstt) represents data 
output from SPU 32. 

r00571 The value Vy, of low level in the voltage V, 
after the rectification by the ASK demodulator 81 is as 
follows. 



V LR = V 10 (1 + kX(-1))-Vf 



r0058] Here, in the ASK demodulator 81, Vf repre- 
sents a voltage drop in a diode (not shown) constituting 
a rectifying circuit for rectification and smoothening, and 
it is generally equal to about 0.7 volt. 



r0O59] When receiving the signal rectified and 
smoothened by the ASK demodulator 81, the voltage 
regulator 82 stabilizes the signal and supplies it as DC 
power to respective circuits as well as the operation unit 
s 64 mthiscase,sincethemodulationfactorkofthemod- 
ulation wave is less than 1 as described above, the volt- 
age variation (the difference between the high level and 
the low level) after the rectification is small. Accordingly, 
the DC power can be easily generated in the voltage 

to regulator 82. 

[0060] Here, when the modulation wave having the 
modulation factor k of 5% is received so that V 10 is 
above 3 volts, the low level voltage Vy, after the rectifi- 
cation is equal to 2.1 5 (=3x (1 -0.05) - 0.7) volts or more, 
is andthevoltageregulator82cansupplyasuff.c.en volt- 
age as power to each circuit. In this case, the amplitude 
2 x k x V,„ (Peak-to-Peak value) of the AC component 
(data component) of the voltage V, after the rectification 
is equal to 0. 3 (=2 x 0.05 x 3) votts or more, and the ASK 
20 demodulator 81 can demodulate the data at a sufficient- 
ly high S/N ratio. 

[0061] As described above, by using the ASK modu- 
lation wave having a modulation factor k less than 1 l a 
communication having a low error rate (in a high S/N 
2S ratio state) can be performed, and a DC voltage which 
is sufficient as power can be supplied to the IC card 2. 
[0062] When receiving the data signal (BPSK demod- 
ulation signal) from the ASK demodulator 81 , the BPSK 
demodulation circuit 62 demodulates the data signal ac- 
30 cording to the clock signal supplied from the PLL unit 63 
and outputs the data thus demodulated to the operation 

[0063] When the data supplied from the BPSK de- 
modulation circuit 62 are encrypted, the operation unrt 
3S 64 decodes the data in the encrypt/decode unit 92, and 
then supplies the data (command) to the sequencer 91 
to process the data. During this time period, that is, dur- 
ing the period from the time when the data are transmit- 
ted to the IC card 2 until a response to the transmiss.on 
40 is received, R/W 1 transmits data having a value of 1 
and is on standby. Accordingly, during this time, the IC 
card 2 receives the modulation wave whose maximum 
amplitude is constant. 

[0064] After the processing is finished, the sequencer 
as 91 outputs the data on the processing result, etc. (data 
to be transmitted to R/W 1) to the BPSK modulation cir- 
cuit 68 The BPSK modulation circuit 68 subjects the da- 
ta to the BPSK modulation (coding to Manchester code) 
as in the case of SPU 32 of R/W 1 , and then outputs the 
so modulated data to the ASK modulator 84 of the RF in- 
terface unit 61 . 

[0065] The ASK modulator 84 varies a load connect- 
ed to both the ends of the antenna 53 in accordance 
with data from the BPSK modulation circuit 68 by using 
ss a switching element or the like, whereby the modulatton 
wave received (the maximum amplitude of the modula- 
tion wave output from R/W 1 is constant at the transmis- 
sion time of data from the IC card 2 as described above) 
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is subjected to ASK modulation in accordance with the 
data to be transmitted to vary the terminal voltage of the 
antenna 27 of R/W1 , and then transmits the data thus 
modulated to R/W 1 . 

[0066] The modulation circuit 23 of R/W 1 continues 
the transmission of data having value of 1 (high level) 
at the reception time of the data from the IC card 2. In 
the demodulation circuit 25, the data transmitted from 
the IC card 2 is detected on the basis of minute variation 
(for example, several tens micro volts) of the terminal 
voltage of the antenna 27 which is electromagnetically 
coupled to the antenna 53 of the IC card 2. 
[0067] Further, in the demodulation circuit 25, the de- 
tected signal (ASK modulation wave) is amplified and 
modulated by a high-gain amplifier (not shown), and dig- 
ital data thus obtained are output to SPU 32. SPU 32 
demodulates the data (BPSK modulation signal) and 
outputs it to DPU 31 . DPU 31 processes data from SPU 
32 and judges on the basis of the processing result 
whether the communication should be finished or not. If 
it judges that the communication is carried out again, 
the communication between R/W 1 and the IC card 2 is 
carried out like the above case. On the other hand, if it 
judges that the communication is finished, R/W 1 finish- 
es the-eommunication processing with the IC card 2. 
[0068] -As described above, R/W 1 transmits data to 
the IC card 2 by using the ASK modulation in which the 
modulation factor k is less than 1 , and the IC card 2 re- 
ceives 1 ^ data to carry out the processing correspond- 
ing to the data and returns the data corresponding to the 
processing result to R/W 1. 

[0069] Fig. 6 shows a logical format of EEPROM 66 
of Fig. 5. 

[0070]^.EEPROM 66 is constructed on a block basis, 
and in an embodiment of Fig. 6, one block is composed 
of 16 bytes, for example. 

[0071] Further, in the embodiment of Fig. 6, the logical 
address of the uppermost block is set to #0000h (h rep- 
resents a hexadecimal number), and other logical ad- 
dresses are allocated in ascending numeric order. In 
Fig. 6, #0000h to #FFFFh are allocated as the logical 
addresses, and thus blocks of 65536 (=2 16 ) are con- 
structed. 

[0072] The blocks are constructed as so to be used 
as a user block or system block. The blocks of EEPROM 
66 are allocated to the user blocks in the ascending nu- 
meric order of the logical addresses, and allocated to 
the system blocks in the descending numeric order of 
the logical addresses. That is, in Fig. 6, the user blocks 
are increased downwardly and the system blocks are 
increased upwardly. At the time when there is no empty 
block, the user block and the system block cannot be 
formed. Accordingly, the boundary between the user 
blocks and the system blocks is not fixed, and no restric- 
tion is imposed on the number of the user blocks and 
the number of the system blocks (however, in the em- 
bodiment of Fig. 6, the total number of the user blocks 
and the system blocks is limited to 65536 or less). 



[0073] The system blocks are classified into five kinds 
of a manufacturing ID (Identification) block, an issuance 
ID block, a system defining block, an area defining block 
and a service defining block. In the embodiment of Fig. 
5 6, the block serving as the area defining block or service 
defining block is shown as an area/service defining 
block. 

[0074] Out of the system blocks, the three kinds of 
blocks of the manufacturing ID block, the issuance ID 
10 block and the system defining block have been basically 
disposed at the issuance time of the IC card 2, and they 
are disposed at logical addresses #FFFFh, #FFFEh and 
#FFFDh, respectively. The area/service defining bbcks 
are disposed in forming order at logical addresses high- 
's er than the logical address #FFFCh. 

[0075] Information on the manufacturing of the IC 
card 2 is disposed in the manufacturing ID block. That 
is, for example, a unique manufacturing ID, a manufac- 
turing date, a manufacture code, etc. are disposed in 
20 the manufacturing ID block. 

[0076] Information on issuance of the IC card 2 is dis- 
posed in the issuance ID block. That is, in the issuance 
ID block are disposed codes of an issuance date of the 
IC card 2, an issuance order of the IC card 2, etc. 
25 [0077] In the system defining block are disposed the 
number of system blocks or user blocks owned by EEP- 
ROM 66, a system key and the like. The system key is 
used when mutual certification is carried out among the 
IC card 2, R/W 1 and the controller 3. 
30 [0078] The area defining block is formed by allocating 
a storage area (area) of EEPROM 66 to the manager, 
and information to manage the storage area allocated 
to the manager itself, etc. are disposed in the area de- 
fining block. That is, in the area defining block are dis- 
ss posed a code range described later, an empty capacity, 
an area key, etc., for example. 
[0079] In the service defining block are disposed in- 
formation to manage a service area described later (the 
— capacity of a service area, a service key, etc.), etc. 
40 [0080] Next, the storage area of EEPROM 66 is man- 
aged in the sequencer 91 with being layered. 
[0081] That is, Fig. 7 shows the directory structure of 
EEPROM 66. 

[0082] The storage area of EEPROM 66 is designed 
45 in a layered structure in which the area defining area is 
layered, and the area defining area is designed so as to 
be able to have an area defining area and a service de- 
fining area. 

[0083] The area defining area is allocated to the man- 
50 ager. In the area defining area are disposed a code 
range representing a range of identification codes which 
are usable as names for identification of the area defin- 
ing area and the service defining area by the manager, 
an empty capacity representing the number of empty 
55 blocks avai lable, an area key to generate an access key 
described later which is used for certification and the 
like. Here, the area defining area of 1 corresponds to 
the area defining block of 1 described with respect to 



7 



13 



EP 0 9731 35 A2 



14 



roo841 In the embodiment of Fig. 7, the area defining 
area allocated to the manager A constitutes the upper- 
most layer, and the area fining areas of the managers 
B1 and B2 are formed with the defining area ol the man- 
ager A being set as a parent layer. Further, the area de- 
fining area of the manager C is formed with the defining 
area of the manager B1 being set as a parent layer. 
[0085] The service defining area is allocated to a serv- 
ice supplied from the manager, and the capacity of a 
service area for storing data necessary to supply serv- 
ices, a service key to generate an access key, etc. are 
disposed in the service defining area. Here, the service 
defining area of 1 corresponds to the service defining 
block of 1 described with reference to Fig. 6. 
[00861 The service area is a storage areas for storing 
data necessary to supply services, and it corresponds 
to the user block of Fig. 6. That is. the seivice area is 
constructed by user blocks above 0, and the number of 
user blocks constituting the service area is disposed as 
the capacity of the service defining area for managing 
the service area. 

[0087] Further, in the area defining area and the serv- 
ice defining area are disposed identification codes for 
identifying these areas. Here, the identification codes to 
identify the area defining area and the service defining 
area are hereinafter referred to as an area code and a 
service code. The service code is to identify the service 
defining area for managing a service area, and thus it 
can be regarded as an identification code (service area 
identification code) for identifying the service area con- 
cerned 

ro0881 In the embodiment of Fig. 7, the area defining 
area of the uppermost layer is allocated to the manager 
A OOOOh to FFFFh are defined as a range of usable 
identification codes (code range), and 
0123456789abcdef are defined as an area key. Here, 
any identification code may be used as the area code 
of the area defining area if it is an identification code 
within the code range in the area defining area. In this 
embodiment, the minimum value of the code range of 
the area defining area is used as the area code thereof. 
Accordingly, the area code of the area defining area 
whose code range is from OOOOh to FFFFh, that is, the 
area defining areas allocated to the manager A is setto 
OOOOh Here, the area defining area whose area code 
is set to #xxxxh is hereinafter described as the area de- 
fining area txxxxh. 

[00891 The layer of the area defining area ffOOOOh of 
the manager A is provided with a service defining area 
in which the manager A supplies services. OOOBh of the 
code range from OOOOh to FFFFh of the area defining 
area #0000h is allocated as a seivice code to the service 
defining area. Here, the service defining area of the 
service code #xxxxh is hereinafter described as the 
service defining area #xxxxh. 
[00901 The capacity of the service defining area 
#0008h is set to 8, and thus the service area constructed 



by user blocks of 8 is usable. Further, the service key of 
the service defining area #0008h is set to 
0101010101010101. 

[00911 The layer of the area defining area ffOOOOh ot 
s the manager A is provided with an area defining area 
#0100h of the manager B1 and an area defining area 
#1000h of the manager B2 as child layers. Further, the 
layer ol the area defining area #0000h is provided with 
other area defining areas (not shown), and thus the 
n number of blocks (empty capacity) usable by the area 
defining area #0000h is set to 37 blocks, for example. 
[00921 As the code range of the area defining area 
«0100h of the manager B1 are allocated 0100h to 
03FFh in the code range from OOOOh to FFFFh of the 
is area defining area ffOOOOh which is the parent layer of 
the area defining area #0100h. Here, since the code 
range of the area defining area of the manager B1 is 
from 0100b to 03FFh, 0100h which is the minimum val- 
ue of the code range is set as the area code of the area 
zo defining area of the manager B1 . Further, the empty ca- 
pacity and the area key of the area defining area #01 OOh 
are set to 1 4 and aOaOaOaOaOaOaOaO, respectively 
[0093] The layer of the area defining area #0100h of 
the manager B1 is provided with the area defining area 
25 #0300h of the manager C as a child layer thereof As 
the code range of the area defining area #0300h of the 
manager C are allocated 0300h to 03FFh in the code 
range from 0100h to 03FFh of the area defining area 
#0100h which is the parent layer thereof. Here, since 
30 the code range of the area defining area of the manager 
C is from 0300h to 03FFh, 0300h which is the minimum 
of the code range is set as the area code of the area 
defining area of the manager C. 
[0094] The empty capacity and area key of the area 
35 defining area #0300h are set to 0 and 
bObObObObObObObO, respectively. 
[0095] The layer of the area defining area #0300h ot 
the manager C is provided with a service defining area 
for service supply by the manager C. 030Ch in the code 
40 range from 0300h to 03FFh of the area defining area 
#0300h is allocated as a service code to the service de- 
fining area. 

[0096] The capacity of the service defining area to 
which the service code 030Ch is allocated, that is, the 
45 service defining area #030Ch is set to 16, and thus the 
service area constructed by user blocks of 16 can be 
used Further, the seivice key of the service defining ar- 
ea #030Ch is set to 0202020202020202. 
[0097] Here, the capacity of the service area man- 
so Led by the service defining area #030Ch is equal to 
16 andthe service defining area #030Ch itself uses one 
block as a service defining block, so that the number of 
blocks being used is equal to 17 (=16+1) because the 
service defining area #030Ch exists. The number of 
ss blocks usable by the area defining area #0300h of a lay- 
er to which the service defining area #030Ch belongs is 
equal to zero block because the empty capacity thereot 
is equal to zero. Further, the area defining area #0300h 
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itself uses one block as an area defining block. Accord- 
ingly, in the layer of the area defining area #0300h, the 
number of blocks being used is equal to 1 8 (=1 7+1 ) and 
the number of usable blocks is equal to zero. Therefore, 
it is found that the number of blocks allocated from the 
area defining area #0100h serving as its parent layer 
(upper layer) is equal to 18 (=18+0). 
[0098] With respect to the layer of the area defining 
area #0100h, 18 blocks are used in the area defining 
area #0300h serving as a child layer (lower layer) of the 
area defining area #0 1 0Oh as described above. Further, 
the area defining area #01 OOh itself uses one block as 
an area defining block. The empty capacity of the area 
defining area #01 OOh is equal to 1 4 as described above. 
Accordingly, in the layer of the area defining area 
#01 OOh, the number of blocks being used is equal to 1 9 
(=18+1), and the number of usable blocks is equal to 
14. Therefore, the number of blocks allocated from the 
area defining area #0000h serving as the parent layer 
thereof is equal to 33 (=19+14). 
[0099] On the other hand, as the code range of the 
area defining area #1000h of the manager B2 are allo- 
cated 1000h to 1FFFh in the code range from OOOOh to 
FFFFh of the area defining area #0000h serving as the 
parent layer thereof. Here, since the code range of the 
area defining area of the manager B2 is from 1 0OOh to 
1 FFFh, 1 0OOh which is the minimum value of the above 
code range is set as the area code of the area defining 
area of the manager B2. 

[01 00] Further, the empty capacity and area key of the 
area defining area #1000h are set to 43 and 
cOcOcOcOcOcOcOcO, respectively. 
[0101] The layer of the area defining area #1000h of 
the manger B2 is provided with a service defining area 
for the service supply of the manager B2. 1022h in the 
code range from 1000h to 1FFFh of the area defining 
area #1 OOOh is allocated as a service code to the service 
defining area. 

[0102] The capacity of the service defining area to 
which the service code 1022h is allocated, that is, the 
service defining area #1022h is set to 4, and thus a serv- 
ice area constructed by user blocks of 4 can be used. 
Further, the service key of the service defining area 
#1022h is set to 0303030303030303. 
[0103] Here, the capacity of the service area man- 
aged by the service defining area #1022h is equal to 4, 
and the service defining area #1022h itself uses one 
block as a service defining block, so that the number of 
blocks being used is equal to 5 (=4+1) because of ex- 
istence of the service defining area #1022h. Further, the 
number of blocks usable by the area defining area 
#1000h of a layer to which the service defining area 
#1022h belongs is equal to 43 because the empty ca- 
pacity thereof is equal to 43. Further, the area defining 
area #1000h itself uses one block as an area defining 
block. Accordingly, in the layer of the area defining area 
#1000h, the number of blocks being used is equal to 6 
(=5+1), and the number of usable blocks is equal to 43, 



so that the number of blocks allocated to the area de- 
fining area #1000h is equal to 49 (=6+43). 
[0104] Since the code range serving as the range of 
identification codes which can be allocated to an area 

5 defining area to be managed is stored in the area defin- 
ing area as described above, such a layer structure as 
shown in Fig. 7 in which an area defining area of a man- 
agement target is set as a child layer and an area de- 
fining area for managing the area defining area is set as 

10 a parent layer can be defined on the basis of the code 
range. 

[0105] Next, a process of constructing the layer struc- 
ture shown in Fig. 7 on the assumption that the manager 
A to which the area defining area #0000h of the upper- 
15 most layer is allocated is a supplier of an IC card 2 will 
be described with reference to Fig. 8. 
[01 06] The manager A issues the IC card 2 in accord- 
ance with the user's request (1). Only the area defining 
area #000h in the layer structure of Fig. 7. is formed in 
20 the IC card 2. 

[01 07] When the manager A starts to supply a prede- 
termined service by using the service area managed by 
the service defining area #0008h, the manager A regis- 
ters into the registered card issuing machine 101 infor- 
ms mation necessary to form the service defining area 
#0008h (2). 

[0108] Here, the registered card issuing machine 101 
is constructed by RA/V1 and the controller 3 shown in 
Fig. 3, for example. The registered card issuing machine 
30 101 may be disposed in a railway station, a retail store 
or other facilities. 

[0109] Thereafter, when a user- inserts an IC card 2 
into a registered card issuing machine 1 01 (when the IC 
card 2 is set to be allowed to communicate with R/W 1 

35 contained in the registered card issuing machine 101), 
the registered card issuing machine 101 carries out the 
registered card issuing work, that is, transmits a com- 
mand and necessary data to the IC card 2 on the basis 
of registered information to form the service defining ar- 

40 ea #0008h. Through the above operation, the user is 
allowed to be supplied with the service of the manager 
A by using the service area managed by the service de- 
fining area #0008h. 

[01 1 0] On the other hand, when the managers B1 , B2 
45 want to be supplied with the service using the IC card 
2, each of them makes a contract with the manager A 
so that the manager A registers into the registered card 
issuing machine 101 information necessary to form the 
area defining areas #01 OOh and #1000h (3) : (4). When 
so a user inserts an I C card 2 into the registered card issu- 
ing machine 101, the registered card issuing machine 
101 performs the registered card issuing work, that is, 
transmits a command and necessary data to the IC card 
2 on the basis of the registered information to form the 
55 area defining areas #01 OOh and #1000h, whereby the 
managers B1 or B2 can use the resource of the IC card 
2 in the range defined in the area defining area #01 OOh 
or #l000h. In this case, the registered card issuing deal- 
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er for the managers B1 and B2 is the manager A. 
[01 1 1] Thereafter, when the manager B2 starts to sup- 
ply a predetermined service by using the service area 
managed by the service defining area#1022h, the man- 
ager B2 registers into the registered card issuing ma- 
chine 101 information necessaryto form the servicede- 
fining area #1022h (5). When a user inserts an IC card 
2 into the registered card issuing machine 101, the reg- 
istered card issuing machine 101 transmits a command 
and necessaiy data to the IC card 2 on the base of the 
registered information to form the service defining area 
#1022h Therefore, the user can be supplied with the 
service of the manager B2 using the service area man- 
aged by the service defining area #1 022h. 
[01 121 Further, when the manager C wishes to supply 
a service through IC card 2 under the management of 
the manager B1 , the manager C makes a contract with 
the manager Bl so that the manager B1 reg.sters into 
the registered card issuing machine 101 mtormat-on 
necessary to form the area defining area #0300h (6). 
When a user inserts an IC card 2 into the registered card 
issuing machine 101, the registered card issuing ma- 
chine 101 transmits a command and necessary data to 
the IC card 2 on the basis of the registered informat.on 
to form the area defining area #0300h, whereby the 
manager C can use the resource of the IC card 2 in the 
range defined in the area defining area #0300h. In th.s 
case, the registered card issuing dealer for the manager 
C is the manager B1. 

[0113] Thereafter, when the manager C starts to sup- 
ply a predetermined service by using the service area 
managed by the service defining area #030Ch, the man- 
aoer C registers into the registered card issuing ma- 
chine 101 information necessary to form the service de- 
fining area #030Ch (7). When a user inserts an IC card 
2 into the registered card issuing machine 1 01 , the reg- 
istered card issuing machine 101 transmits a command 
and necessary data to the IC card 2 on the bas.s ol the 
registered information to form the sen/ice defining area 
#030Ch whereby the user can accept the supply of the 
sen/ice from the manager C using the service area man- 
aged by the service defining area #030Ch. 
[0114] In the IC card 2, the area defining area and the 
service defining area are formed according to the com- 
mand from the registered card issuing machine 101 as 
described above. The area forming processing of form- 
ing the area defining area and the service forming 
processing of forming the service defining area are per- 
formed by the sequencer 91, for example. The area 
forming processing and the service forming processing 
will be described with reference to Figs. 9 and 10. 
1011 5] First, the area forming processing will be de- 
scribed with reference to the flowchart of Fig. 9. 
[01161 When the IC card 2 is inserted into the regis- 
tered card issuing machine 101 , the registered card is- 
suing machine 101 transmits to the IC card 2 a com- 
mand instructing to form an area defining area (herein- 
after referred to as a define, area forming command) 



information necessary to form the area def.n.ng area, 
that is, the code range of the area defining area to be 
formed, the number of blocks allocated to the area de- 
fining area (hereinafter referred to as allocation block 
s number) and an area key, for example. 

[0117] When receiving the area forming command, 
the IC card 2 (sequencer 91 ) recognizes the code range 
of the area defining area to be formed, an allocation 
block number, an area key. etc. which are transmuted 
w together with the area forming command. Further, in the 
IC card 2 the area code of the area def ining area to be 
formed is recognized. That is, in this case, the minimum 
value of the code range of the area defining area to be 
formed is recognized as the area code thereof. Further, 
is in the IC card 2, the area defining area having the code 
range containing the code range of the area defining ar- 
ea to be formed is recognized as an area defining area 
of the parent layer of the area defining area to be formed. 
[0118] In the IC card 2, it is judged in step S1 whether 
20 the area defining area to be formed has been already 
formed in EEPROM 66. That is, in step S1 it is |udged 
whether the area defining area having the same area 
code as the area code of the area defining area to be 
formed has been already formed. 
25 [0119] If it is judged in step S1 that the area defining 
area to be formed has been already formed, the area 
forming processing is finished. That is, in the case where 
the area defining area to be formed has been already 
formed, no subsequent processing is earned out be- 
30 cause it is unnecessary to duplcatively form the same 
area defining area. . 
[0120] If it is judged in step S1 that the area defining 
area to be formed has not yet been formed, the process- 
ing goes to step S2 to judge whether the code range o 
3S the area defining area to be formed and the number o 
allocated blocks (capacity) are proper or not. That is, it 
is judged in step S2 whether the code range of the area 
defining area to be formed is contained in the code 
- range stored m the area defining area of the parent layer 
40 and the allocation block number of the area defining ar- 
ea to be formed is below the empty capacrty stored in 
the area defining area of the parent layer. 
[0121] When it is judged in step S2 that the code 
range of the area defining area to be formed and the 
45 allocation block number are not proper, that is. when the 
code range of the area defining area to be formed iscon- 
tained in the code range stored in the area defining area 
of the parent layer or the allocation block number of the 
area defining area to be formed exceeds the empty ca- 
se nacity stored in the area defining area of the parent lay- 
er the error processing is carried out in step S3 and then 
the area forming processing is finished. That is. in step 
S3 a message in which no area defining area can be 
formed as a child layer of the area defining area of the 
55 parent layer is transmitted to the registered card issuing 
machine 101. Accordingly, in this case, no area defining 
area is formed (no registered card issuing work is car- 
ried out). 
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[0122] On the other hand, if it is judged in step S2 that 
the code range of the area defining area to be formed 
and the allocation block number arc proper, that is. it is 
judged that the code range of the a'cn defining area to 
be formed is contained in the code rnrgc stored m the s 
area defining area of the parent inycr and :hc riitcoition 
block number of the area dctmmq *t ca to be formed is 
below the empty capacity stored m inc -if on defining ar- 
ea of the parent layer the arc^ defining nroa to be 
formed is formed as a child layer of the area defining 
area of the parent layer in step S4 
[0123] That is, in step S4. the kwcrmost block (the 
empty block having the largest logical address) in the 
empty blocks of EEPROM 66 (Fig 6} is ensured as the 
area defining block corresponding to the area defining 
area to be formed. Further, the code range, the empty 
capacity, the area key, etc. are written (stored) into the 
area defining bock. Here, in step S4. data transmitted 
from the registered card issuing machine 101 are direct- 
ly written as the code range and the area key. The value 
obtained by subtracting 1 from the allocation block 
number transmitted from the registered card issuing ma- 
chine 101 is written as the empty capacity. The value 
obtained by subtracting 1 from the allocation block 
number is written because the area defining area thus 
formed uses one block. 

[0124] Thereafter, the processing goes to step S5 to 
rewrite the empty capacity of the area defining area of 
the-parenMayer, and then the area forming processing 
is finished. That is, in step S5, the value obtained by 
subtracting the allocation block number from the empty 
capacity of the area defining area of the parent layer is 
newly written. as an empty capacity of the area defining 
area of the; parent layer. 

[0125] The area defining areas #0100h, #1000h, 
#0300h of the managers B1 , B2, C shown in Fig. 7 are 
formed by the above area forming processing. 
[0126] That is, assuming that at the issuance time of 
the IC card 2, the manager A who is also the issuer of 
the IC card 2 has all the resources of the IC card 2 and 
the identification codes or the capacity usable by the IC 
card 2 is from OOOOh to FFFFh or 65533 blocks, only the 
area defining area #0000h of the uppermost layer in 
which the code range is from OOOOh to FFFFh and the 
empty capacity is equal to 65532 exists as an area de- 
fining area at the issuance time of the IC card 2. 
[0127] In this embodiment, as shown in Fig. 6, EEP- 
ROM 66 has blocks of 65536, however, the usable ca- 
pacity is equal to 65533 blocks whose number is smaller 
than 65536 by 3 just after issuing the IC card 2 because 
the manufacturing ID block, the issuance ID block and 
the system defining block exist. 
[01 28] Further, the empty capacity of the area defining 
area #0000h of the uppermost layer is equal to 65532 
blocks whose number is smaller than the usable capac- 
ity of 65533 blocks by one block because the area de- 
fining area #0000h itself uses one block. 
[0129] When the manager A shares the manager B1 



the identification codes in the range from 0100h to 
03FFh and 33 blocks in the resources thereof, the area 
forming processing is carried out to form the area defin- 
ing area #0100h. That is, in this case, 0100h to 03FFh 
and 32 blocks are written as a code range and an empty 
capacity respectively into the area defining area 
#0100h. The empty capacity is smaller than the number 
of 33 blocks shared from the manager A by one block 
because the area defining area #0100h itself uses one 
block. 

[0130] When the area defining area #0100h is formed, 
the empty capacity of the area defining area #0000h of 
the manager A is reduced by 33 blocks shared to the 
manager B1. 

[0131] When the manager A shares the manager B2 
the identification codes of the range from 1000h to 
1FFFh and 49 blocks, the area forming processing is 
carried out to form the area defining area #1000h. That 
is, in this case, 1 0OOh to 1 FFFh and 48 blocks are written 
as a code range and an empty capacity respectively into 
the area defining area #1000h. The empty capacity is 
smaller than the number of 49 blocks shared from the 
manager A by one block because the area defining area 
#1000h itself uses one block. 

[01 32] When the area defining area #1 OOOh is formed, 
the empty capacity of the area defining area #0000h of 
the manager A is reduced by 33 blocks shared from the 
manager B2. 

[0133] When the area defining area #0100h or 
#1000h is formed as described above, the manager B1 
or B2 is allowed to form in the layer of the area defining 
area #0100h or #1000h an area defining area and a 
service defining area as child layers of the above layer. 
[01 34] For example, when the manager B1 shares the 
manager C the identification codes of the range from 
0300h to 03FFh and 18 blocks, the area forming 
processing is carried out to form the area defining area 
#0300h. That is, in this case, 0300h to 03FFh and 17 
blocks are written as a code range and an empty capac- 
ity into the area defining area #0300h. The empty ca- 
pacity js smaller than the number of 18 blocks shared 
from the manager B1 by one block because the area 
defining area #0300h itself uses one block. 
[01 35] When the area defining area #0300h is formed, 
the empty capacity of the area defining area #0100h of 
the manager B1 is reduced by the number of 18 blocks 
shared from the manager C. That is, as described 
above, the empty capacity of the area defining area 
#0100h is equal to 32 blocks when the area defining ar- 
ea #0100h is formed. However, as shown in Fig. 7, 18 
blocks are reduced from the empty capacity and thus 
the empty capacity is equal to 14 blocks. 
[0136] Next, the service forming processing will be 
described with reference to the flowchart of Fig. 10. 
[0137] When the IC card 2 is inserted into the regis- 
tered card issuing machine 101, the registered card is- 
suing machine 101 transmits to the IC card 2 a com- 
mand instructing to form a service defining area (here- 
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inafter referred to as a service forming command), in- 
formation necessary to form the service defining area, 
that is a service code of the service defining area to be 
formed, the number of blocks allocated to the service 
defining area (hereinafter referred to as allocation block 
number) and a service key, etc. 
[0138] When the service forming command is re- 
ceived, the IC card 2 (sequencer 91) recognizes the 
service code of the service defining area to be formed, 
the allocation block number, the service key, etc. Fur- 
ther, in the IC card 2, the area defining area having the 
code range containing the service code of the service 
defining area to be formed is recognized as an area de- 
fining area of the parent layer of the service defining ar- 
ea to be formed. 

[0139] lnthelCcard2,itisjudgedinstepS11 whether 
the service defining area to be formed has been already 
formed in EEPROM 66. That is, it is judged in the step 
S11 whether a service defining area having the same 
service code as the service defining area to be formed 
has been already formed. 

[01 40] When it is judged in the step S1 1 that the serv- 
ice defining area to be formed has been already formed, 
the service forming processing is f inished. That is, when 
the service defining area to be formed has been already 
formed, the subsequent processing is not carried out be- 
cause it is not necessary to duplicatively form the same 
service defining area. 

[0141] Further, if it is judged in step S11 that the serv- 
ice defining area to be formed has not been formed, the 
processing goes to step S1 2 to judge whether the serv- 
ice code of the service defining area to be formed and 
the allocation block number (capacity) are proper or not. 
That is, it is judged in step S1 2 whether the service code 
of the service defining area to be formed is contained in 
the code range stored in the area defining area of the 
parent layer and the allocation block number of the serv- 
ice defining are to be formed is below the empty capacity 
stored in the area defining area of the parent layer. 
[01 42] If it is judged in step S1 2 that the service code 
of the service defining area to be formed and the allo- 
cation block number are not proper, that is, if the service 
code of the service defining area to be formed is not con- 
tained in the code range stored in the area defining area 
of the parent layer or the allocation block number of the 
service defining area to be formed exceeds the empty 
capacity stored in the area defining area of the parent 
layer, the processing goes to step S13 to perform the 
error processing, and then the area forming processing 
is finished. That is, in step 33 a message in which no 
service defining area cannot be formed in the layer of 
the area defining area of the parent layer is transmitted 
to the registered card issuing machine 101 . Accordingly, 
in this case, no service defining area can be formed. 
[01 43] On the other hand, it is judged in step S1 2 that 
the service code of the service defining area to be 
formed and the allocation block number are proper, that 
is if the service code of the service defining area to be 



formed is contained in the code stored in the area de- 
fining area of the parent layer and the allocation block 
number of the service defining area to be formed is be- 
low the empty capacity stored in the area defining area 
5 of the parent layer, the processing goes to step S1 4 in 
which the service defining area to be formed is formed 
in the layer of the area defining area of the parent layer. 
[0144] That is, in step S14, the lowermost block (an 
empty block having the largest logical address) in the 
10 empty blocks of EEPROM 66 (Fig. 6) is ensured as the 
service defining block corresponding to the service de- 
fining area to be formed. Further, the service code, the 
capacity, the service key, etc. are written into the service 
defining block. In this case, in step S1 4, the service code 
is and the service key transmitted from the registered card 
issuing machine 101 are directly written. The value ob- 
tained by subtracting from the allocation block number 
transmitted from the registered card issuing machine 
101 by 1 is written as the capacity. The value obtained 
20 by subtracting the allocation block number by 1 is written 
because the service defining area to be formed uses 
one block. 

[0145] In step S14, empty blocks whose number cor- 
responds to the capacity written in the service defining 
25 area thus formed are selected in logical-address in- 
creasing order, and ensured as user blocks constituting 
the service area managed by the service defining area. 
Thereafter, the processing goes to step S15. 
[0146] In step S15, the empty capacity of the area de- 
30 fining area of the parent layer is rewritten, and the serv- 
ice forming processing is finished. That is. in step S15, 
the value obtained by subtracting the allocation block 
number from the empty capacity of the area defining ar- 
ea of the parent layer is newly written as the empty ca- 
35 pacity of the area defining area. 

[0147] The service defining areas #0008h, #1022h, 
#030Ch of the managers A, B2, C shown in Fig. 7 are 
formed by performing the above service forming 
processing. 

40 [0148] That is, when the manager A supplies rts serv- 
ices by using the identification code of 0008h and the 
capacity of 9 blocks in the resources thereof, the service 
forming processing is carried out to form the service de- 
fining area #0008h, and 8 blocks are written as a capac- 
45 ,ty into the service defining area #0008h. Further, eight 
empty blocks are ensured as user blocks, and set as a 
service area managed by the area defining area 
#0008h. The capacity written in the service defining area 
#0008h is smaller than the number of 9 blocks by one 
so block because the service defining area #0008h uses 
one block. . 
[0149] When the service defining area #0008h is 
formed, the empty capacity of the area defining area 
#0000h of the manager A is reduced by nine blocks 
55 which are shared to the service defining area #0008h. 
[01 50] As described above, the manager A can sup- 
ply services by using the service area of eight blocks 
managed by the service defining area #0008h. 
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[01 51 ] When the manager B2 supplies services by us- 
ing the identification code of 1022h and a capacity of 5 
blocks in the resources thereof, the service forming 
processing is carried out to form the service defining ar- 
ea #1022h, and 4 blocks are written as a capacity into 
the service defining area #1022h. Further, four empty 
blocks are ensured as user blocks and it is set as a serv- 
ice area managed by the area defining area #1022h. 
The capacity written in the service defining area #1 022h 
is smaller than the number of 5 blocks by one block be- 
cause the service defining area #1022h itself uses one 
block. 

[0152] When the service defining area #1022h is 
formed, the empty capacity of the area defining area 
#1000h of the manager B2 is reduced by 5 blocks 
shared to the service defining area #1022h. That is, as 
described above, the empty capacity is equal to 48 
blocks at the time when the area defining area #1000h 
is formed, however, it is reduced by 5 blocks and thus 
equal to 43 blocks as shown in Fig. 7. 
[0153] As described above, the manager B2 is al- 
lowed to supply services by using the service area of 
four blocks managed by the service defining area 
#1022h. 

[01 54] Further, when the manager C supplies servic- 
es by. using, for example, the identification code of 
030Ch and the capacity of 17 blocks in the resources 
thereof, the service forming processing is carried out to 
form theservice defining area #030Ch, and 16 blocks 
are written as a capacity into the service defining area 
#030Ch. Further, 16 empty blocks are ensured as user- 
blocksrand it is set as a service area managed by the 
area defining area #030Ch. The capacity written in the 
service. ^defining area #030Ch is smaller than the 
number of 17 blocks by one block because the service 
defining area #030Ch itself uses one block. 
[0155] When the service defining area #030Ch is 
formed, the empty capacity of the area defining area 
#0300h of the manager C is reduced by 17 blocks 
shared to the service defining area #030Ch. That is, as 
described above, the empty capacity is equal to 17 
blocks at the time when the area defining area #0300h 
is formed, however, it is reduced by 17 blocks and thus 
equal to zero as shown in Fig. 7. 
[01 56] As described above, the manager C is allowed 
to supply services by using the service area of 1 6 blocks 
managed by the service defining area #030Ch. 
[0157] As described above, EE PROM 66 is managed 
on the basis of the area defining area in which the code 
range and the empty capacity are stored, so that the re- 
source management of the I C card 2 can be performed. 
That is, the capacity and identification codes which are 
usable in the layer of an area defining area can be re- 
stricted. As a result, even when a manager shares a part 
of resources allocated thereto (in this case, usable ca- 
pacity and identification codes) to another manager so 
that the IC card 2 is commonly usable, the identification 
code can be prevented from being overlapped between 



different managers and the manager can be prevented 
from using EE PROM 66 with exceeding a capacity 
which is predetermined through a contract or the like. 
[0158] in the IC card 2, the storage area of EEPROM 

5 66 has the layer structure in which the area defining area 
is layered as described with respect to Fig. 7, and keys 
for certification (in this embodiment, a key for an area 
defining area and a key for a service defining area are 
referred to as an area key and a service key respective- 

10 |y) are stored in the area defining area and the service 
defining area respectively, so that access control which 
is high in flexibility and safety to the IC card 2 can be 
performed. 

[0159] That is, access control which is high in flexibil- 
is ity and safety to the IC card 2 can be implemented by 
delivering information as shown in Fig. 11 between man- 
agers. 

[0160] Specifically, the manager A which also serves 
as the issuer of the IC card 2 determines a system key 

20 to be stored in the system defining block of EEPROM 
66 (Fig. 6) and an area key of the area defining area 
#0000h of itself, and stores the system key in the system 
defining block while storing the area key #0000h in the 
area defining area #0000h. Here, the area key of the 

25 area defining area #xxxxh is hereinafter referred to as 
area key #xxxxh. 

[0161] Further, the manager A encrypts the system 
key with the area key #0000h and generates an area 
intermediate key K A . DES (Data Encryption Standard), 

30 FEAL (Fast Data Encipherment Algorithm) or the like 
may be used as an encrypting method. 
[0162] When the manager A shares the resources 
thereof to the manager B1 , the manager A gives the ar- 
ea intermediate key K A to the manager B1 . Further, the 

35 manager A determines the area key #0100h of the man- 
ager B1 and gives (distributes) it to the manager B1 to- 
gether with the area code #0000h thereof. 
[0163] Accordingly, the manager B1 can recognize 
the area intermediate key K A and the area key #0100h 

40 thereof, however it cannot recognize the system key and 
the area key #0000h of the manager A which is a so- 
called parent. However, the area key #0100h of the 
manager B1 is given to the manager B1 serving as a so- 
called child by the manager A serving as the parent, and 

45 thus the manager A serving as the parent recognizes 
the area key #0100h of the manager B1 serving as the 
child. 

[01 64] The area key #01 OOh given to the manager B1 
by the manager A is written into the area defining area 

50 #0l00h through the area forming processing (Fig. 9) of 
the area defining area #01 OOh of the manager B1 . 
[0165] The manager B1 encrypts the area intermedi- 
ate key K A obtained from the manager A serving as the 
parent thereof on the basis of the area key #01 OOh ob- 

55 tained from the manager A to generate an area interme- 
diate key K B1 . 

[01 66] The manager A also gives the area intermedi- 
ate key K A to the manager B2 when it shares the re- 
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sources thereof to the manager B2. Further, the man- 
ager A determines the area key * 1 0OOh of the manager 
B2, and gives it to the manager B2 together wuh the area 
code #0000h thereof. 

[0167] Accordingly, the manaqer B2 can recognize 
the area intermediate key K A and the aroa key t lOOOh 
thereof, however, cannot recoqni/c the system key and 
the area key #0000h of the maragoi A serving as the 
parent. However, since the area key » lOOCn cf the man- 
ager B2 is given to the manager 32 serving as the child 
by the manager A serving as the parent the manager 
A serving as the parent recogni/cs the area key #1000h 
of the manager B2 serving as the child 
[01 68] The area key # 1 0OOh given to the manager B2 
by the manager A is written into the area defining area 
#1000h thereof in the area forming processing ot the ar- 
ea defining area #1000h of the manager B2 
[0169] The manager B2 encrypts the arc .< intermedi- 
ate key K A obtained from the manager A saving as the 
parent thereof on the basis of the area key #1000h ob- 
tained from the manager A to generate an area intei me- 
diate key Kb 2 . 

[0170] On the other hand, when the manager B1 
shares the resources thereof to the manager C, the 
manager B1 gives the area intermediate key K B1 to the 
manager C. Further, the manager B1 determines the ar- 
ea key #0300h of the manager C and gives it to the man- 
ager C together with the area code #0100h thereof and 
the area code #0000h of the manager A serving as the 
parent. 

[0171] Accordingly, the manager C can recognize the 
area intermediate key K B1 and the area key #03000h 
thereof, however, cannot recognize the area key 
#0100h of the manager B1 serving as the parent. How- 
ever, since the area key #0100h is given to the manager 
C serving as the child by the manager B1 serving as the 
parent, the manager B1 serving as the parent recogniz- 
es the area key #0300h of the manager C serving as the 
chitd. 

[0172] The area key #0300h given to the manager C 
by the manager B1 is written in the area defining area 
#0300h thereof through the area forming processing of 
the area defining area #0300h of the manager C. 
[01 73] The manager C encrypts the area intermediate 
key K B1 obtained from the manager B1 serving as the 
parent on the basis of the area key #0300h obtained 
from the manager B1 to generate an area intermediate 
keyKc. 

[0174] When the manager A supplies its services by 
using the service area managed by the service defining 
area #0008h formed in the layer of the area defining ar- 
ea #0000h thereof, as shown in Fig. 12, the manager A 
encrypts the service key stored in the service defining 
area #0008h (the service key stored in the service de- 
fining area #xxxxh is hereinafter referred to as a service 
key #xxxxh) on the basis of the area intermediate key 
K A to generate a service intermediate key K #0008h , and 
registers it into a service supply machine 111 together 



with the area intermediate key K A . Further, the manager 
A registers the area code #0000h of the area defining 
area #0000h thereof and the service code #0008h of the 
service defining area #0008h formed in the layer of the 
5 area defining area #0000h into the service supply ma- 
chine 111. 

[0175] Here, the service supply machine 111 is con- 
structed by R/W 1 and the controller 3 shown in Fig. 3, 
for example, and data are read/written from/in a prede- 
10 termined area to supply a predetermines service. 
[0176] In this case, when the IC card 2 is inserted into 
the service supply machine 111, the following mutual 
certification is carried out between the service supply 
machine 111 and the IC card 2. 
is [0177] That is, the service supply machine 111, as 
shown in Fig. 13, transmits the area code #0000h and 
the service code #0008h registered to the IC card 2. In 
the IC card 2 (sequence 91 ), the area code #0000h and 
the service code #0008h from the service supply ma- 
20 chine 111 are received. 

[0178] In the IC card 2, the system key stored in the 
system defining block (Fig. 6) is read out, and also the 
area key #0000h is read out from the area defining area 
having the area code #0000h received from the service 
25 supply machine 111. Further, the system key is encrypt- 
ed on the basis of the area key #0000h, so that the same 
key as the area intermediate key K A registered in the 
service supply machine 11 1 of Fig. 1 2 is generated. The 
same key as the area intermediate key K A is set as a 
30 first access key (certification key) used for certifica- 
tion. 

[0179] In the IC card 2, the service key #0008h is read 
from the service defining area having the service code 
#0008h received from the service supply machine 111 . 
35 The area intermediate key K A is encrypted on the basis 
of the service key #0008h, so that the same key as the 
service intermediate key K^qh registered in the serv- 
ice supply machine 111 of Fig. 12 is generated. The 
same key as the service intermediate key K^osh is set 
40 as a second access key K ac used for certification. 
[01 80] Accordingly, in this case, the area intermediate 
key K A or the service intermediate key K #0008h which 
serves as the first access key K bc or the second access 
key K ac is registered in the service supply machine 111 , 
45 whereby the area intermediate key K A or the service in- 
termediate key K #0008h serving as the first access key 
or the second access key K ac is generated in the IC 
card 2. 

[0181] The service supply machine 111 certificates 
50 the IC card 2 as shown in Fig. 14, for example. 

[0182] That is, in the service supply machine 111 , a 
random number is generated, and it is converted ac- 
cording to an algorithm E1 . That is, the random number 
is encrypted (for example, DES-encrypted) on the basis 
55 of the second access key K ac , and the encryption result 
is decoded (for example, DES-decoded) on the basis of 
the first access key K^. The decoding result is encrypt- 
ed on the basis of the second access key K ac . The con- 
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version result of (he random number based on the algo- 
rithm E 1 is transmitted to the IC card 2. 
[0183] In the IC card 2, the conversion result of the 
random number based on the algorithm El from the serv- 
ice device 111 is converted according to the algorithm 
D1 . That is, the conversion result based on the algorithm 
El is decoded on the basis of the second access key 
K ac , and the decoding result is encrypted on the basis 
of the first access key K bc . Further, the encryption result 
is decoded on the basis of the second key K ac . 
[0184] In the IC card 2, the conversion result based 
on the algorithm D1 is further converted according to the 
algorithm E2. That is, the conversion result based on 
the algorithm D1 is encrypted on the basis of the first 
access key K^, and the first access key is encrypted 
on the basis ol the second access key K ac . The encryp- 
tion result based on the first access key K bc for the con- 
version result based on the algorithm D1 is decoded on 
the basis of the encryption result based on the second 
access key K ac of the first access key K^. The decoding 
result is encrypted on the basis of the first access key 
K bc and transmitted to the service supply machine 111. 
[01 85] In the service supply machine 1 1 1 , the conver- 
sion result based on the algorithm E2 from the IC card 
2 is converted according to the algorithm D2. That is, 
the conversion result based on the algorithm E2 is de- 
coded on the basis of the first access key K bc , and the 
first access key K bc is encrypted on the basis of the sec- 
ond. access key K ac . The decoding result based on the 
first access key K bc for the conversion result based on 
the algorithm E2 is encrypted on the basis of the encryp- 
tion result of the first access key K bc based on the sec- 
ond access key K ac . The encryption result is decoded 
on the .basis of the first access key K^. 
[01 86] In the service supply machine 1 11 , the original 
random number and the conversion result based on the 
algorithm D2 are compared with each other to certificate 
the IC card 2. That is, when the original number is coin- 
cident with the conversion result based on the algorithm 
D2, it is recognized that the IC card 2 is proper. On the 
other hand, if they are not coincident with each other, 
the IC card 2 is regarded as being improper (for exam- 
ple, it is forged). 

[0187] If the IC card 2 is recognized to be proper, the 
certification of the service supply machine 1 1 1 is carried 
out in the IC card 2 as shown in Fig. 15, for example, 
[0188] That is, in the IC card 2, the random number is 
generated, and the random number is converted ac- 
cording to the algorithm E2 and transmitted to the serv- 
ice supply machine 111. 

[0189] In the service supply machine 111, the conver- 
sion result of the random number based on the algorithm 
E2 from the IC card 2 is converted according to the al- 
gorithm D2. Further, the conversion result based on the 
algorithm D2 is converted according to the algorithm El 
and transmitted to the IC card 2. 
[0190] In the~IC card 2, the conversion result based 
on the algorithm E1 from the service supply machine 



11 1 is converted according to the algorithm D1 , and the 
conversion result and the original random number are 
compared with each other to perform the certification for 
- the service supply machine 111 . That is, when the orig- 

5 inal random number is coincident with the conversion 
result based on the algorithm D2, the service supply ma- 
chine 111 is recognized as being proper. On the other 
hand, if they are not coincident with each other, the serv- 
ice supply machine 1 1 1 is recognized as being improper 

io (for example, modified). 

[01 91 ] When both of the IC card 2 and the service sup- 
ply machine 111 are recognized to be proper, an access 
to only the service area managed by the service defining 
area having the service code transmitted from the serv- 
es ice supply machine 111 is permitted in the IC card 2. 
Accordingly, in the case described with respect to Figs. 
12 and 1 3, an access to only the service area managed 
by the service defining area #0008h is possible. 
[0192] That is : the manager A who knows the area 

20 intermediate key K A , the area code #0000h, the service 
key #0008h and the service code #0008h can access 
the service area managed by the service defining area 
#0008h. However,, the manager A knows neither the 
service key #1022h nor the service key #030Ch, so that 

25 it cannot basically access the service area managed by 
the service defining area #1022h or #030Ch. 
[0193] Next, when the manager B2 supplies its serv- 
ices by using the service area managed by the service 
defining area #1022h formed in the layer of the area de- 

30 fining area #1000h thereof, it encrypts the service key 
#1022h stored in the service defining area #1022h on 
the basis of the area intermediate key K B2 as shown in 
Fig. 16 to generate a service intermediate key K #t0 22h 
and register it together with the area intermediate key 

35 K B2 into the service supply machine 111 . The manager 
B2 registers into the service supply machine 111 the ar- 
ea code of the area defining area of an upper layer 
above the layer of the area defining area #1 OOOh there- 
of, that is, in this case, the area code #000h of the area 

40 defining area #0000h of the manager A and the area 
code #1000h of the area defining area #1000h thereof, 
and the service code #1022h of the service defining area 
#1022h formed in the layer of the area defining area 
#1000h. 

45 [01 94] In this case, when the IC card 2 is inserted into 
the service supply machine 111, the following mutual 
certification is carried out between the service supply 
machine 111 and the IC card 2. 
[01 95] That is, as shown in Fig. 1 7, the service supply 

so machine 111 transmits the registered area codes 
#0000h and #1000h, and the service code #1022h to 
the IC card 2. In the IC card 2 (sequencer 91 ), the area 
codes tfOOOOh and #1 OOOh and the service code #1 022h 
are received from the service supply machine 111. 

55 [0196] In the IC card 2, the system key stored in the 
system defining block (Fig. 6) is read out, and the area 
key #0000h or #1000h is read out from the area defining 
area having the area code #0000h or #1000h received 
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from the service supply machine 111. Further, the sys- 
tem key is encrypted on the basis of the area key 
#0000h, so that the same key as the area intermediate 
key K A is generated. The same key as the area inter- 
mediate key K A is encrypted on the basis of the area 
key #1000h, so that the same key as the area interme- 
diate key K B2 registered in the service supply machine 
111 of Fig. 16 is generated. The same key as the area 
intermediate key K B2 is set as a first access key used 
for certification. . 
[0197] In the IC card 2, the service key #1022h is read 
out from the service defining area having the service 
code #1022h received from the service supply machine 
111 The same key as the area intermediate key K B2 is 
encrypted on the basis of the service key #1022h, so 
that the same key as the service intermediate key 
K#io22h registered in the service supply machine 111 of 



Fig. 16 is generated. The same key as the service inter- 
mediate key K #1022h " ls set as a second accesS key KflC 
used for certification. 

[01 98] Accordingly, in this case, the area intermediate 
key K B2 or the service intermediate key K #1022 h 
is the first access key or the second access key K ac 
is registered in the service supply machine 111 , and in 
the IC card 2 the area intermediate key K B2 or the serv- 
ice intermediate key K #1022h which is the first access key 
K bc or the second access key K ac is generated. 
[01 99] The mutual certification is carried out between 
the IC card 2 and the service supply machine 111 as in 
the case as described with reference to Figs. 1 4 and 1 5. 
[0200] As a result of the mutual certification, when 
both the IC card 2 and the service supply machine 11 1 
are recogn ized to be proper, the access to only the serv- 
ice area managed by the service defining area having 
the service code transmitted from the service supply 
machine 111 is permitted in the IC card 2. Accordingly, 
in the case of Figs. 16 and 17, the access to only the 
service area managed by the service defining area 
#1022h is possible. 

[0201] That is, the manager B2 who knows the area 
intermediate key K B2 , the area codes #0000h, #1000h, 
the service key #1022h and the service code #1022h 
can access the service area managed by the service 
defining area #1 022h. However, the manager B2 knows 
neither the service key #0008h nor #030Ch, and thus it 
cannot basically access the service areas managed by 
the service defining areas #0008h and #030Ch. 
[0202] Next, when the manager C supplies the serv- 
ices by using the service area managed by the service 
defining area #030Ch formed in the layer of the area 
defining area #0300h thereof, it encrypts the service key 
#030Ch stored in the service defining area #030Ch on 
the basis of the area intermediate key K c as shown in 
Fig. 18 to generate a service intermediate key K^^ch- 
and registers it together with the area intermediate key 
K c into the service supply machine 111 . The manager C 
also registers into the service supply machine 111 the 
area code of the area defining area of an upper layer 



above the layer of the area defining area #0300h there- 
of that is, in this case, the area code #0000h of the area 
defining area #0000h of the manager A, the area code 
0100h of the area defining area #0100h of the manager 
5 B1, the area code #0300h of the area defining area 
#0300h thereof and the service code #030Ch of the 
service defining area #030Ch formed in the layer of the 
area defining area #0300h. 

[0203] In this case, when the IC card 2 is inserted into 
10 the service supply machine 111, the following mutual 
certification is carried out between the service supply 
machine 111 and the IC card 2. 
[0204] That is, as shown in Fig. 1 9, the registered area 
codes #0000h, #0100h and #0300h and the service 
is code #030Ch are transmitted to the IC card 2. In the IC 
card 2 (sequencer 91 ), the area codes #0000h, #0100h 
and #0300h and the service code #030Ch are received 
from the service supply machine 111. 
[0205] In the IC card 2, the system key stored in the 
20 system defining block (Fig. 6) is read out, and also the 
area key #0000h, #0100h or #0300h is read out from 
the area defining area having the area code #0000h, 
#0100h or #0300h which is received from the service 
supply device 111. Further, the system key is encrypted 
25 on the basis of the area key #0000h, so that the same 
key as the area intermediate key K A is generated. The 
same key as the area intermediate key K A is encrypted 
on the basis of the area key #0100h, so that the same 
key as the area intermediate key is generated. The 
30 same key as the area intermediate key K B1 is encrypted 
on the basis of the area key #0300h, so that the same 
key as the area intermediate key Kc registered in the 
service supply machine 111 of Fig. 18 is generated. The 
same key as the area intermediate key K c is set as a 
35 first access key K^ used for certification. 

[0206] In the IC card 2, the service key #030Ch is read 
out from the service defining area having the service 
code #030Ch received from the service supply machine 
111 The area intermediate key K c is encrypted on the 
40 basis of the service key #030Ch, thereby generating the 
same key as the service intermediate key K^qch re 9" 
istered in the service supply machine 111 of Fig. 18. The 
same key as the service intermediate key K^^h fe set 
as a second access key K ac used for certification. 
45 [0207] Accordingly, in the above case, the area inter- 
mediate key Kc or the service intermediate key K^ch 
which is the first access key or the second access 
key K ac is registered in the service supply machine 111 , 
and the area intermediate key K c or the service inter- 
so mediate key Kmoch ***** is the first access key or 
the second access key K ac is generated in the IC card 2. 
[0208] The mutual certification is carried out between 
the IC card 2 and the service supply machine 111 as in 
the case of Figs. 14 and 15. 
55 [0209] As a result of the mutual certification, if both 
the IC card 2 and the service supply machine 111 are 
recognized as being proper, an access to only the serv- 
ice area managed by the service defining area having 
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the service code transmitted from the service supply 
machine 111 is permitted in the IC card 2. Accordingly, 
in the case of Figs. 18 and 19, the access to only the 
service area managed by the service defining area 
#030Ch is possible. 

[0210] That is, the manager C which knows the area 
intermediate key K c , the area codes #0000h, #0100h, 
#0300h, the service key #030Ch and the service code 
#030Ch can access the service area managed by the 
service defining area #030ch. However, the manager C 
knows neither the service key #0008h nor the service 
key #1 022Ch, and basically, it cannot access the service 
area managed by the service defining area #0008h or 
#1022Ch. 

[02 1 1 ] As described above, the manager can access 
the service area thereof even when it does not know the 
area key of the upper layer. 

[021 2] As described above, each manager cannot ac- 
cess any service area managed by a service defining 
area for which the manager does not the service key. 
However, for example, there is a case where the man- 
ager C wishes to perform not only services using the 
service area^ managed by the service defining area 
#030Ch thereof, but also services using the service area 
managed by the service defining area #1022h of the 
manager B. 

[0213]; In this case, in order for the manager C to ac- 
cess the service area managed by the service defining 
area#1 022h, it is necessary for the manager C to know 
the area intermediate key K B2 , the area codes #0000h, 
#1000h, the service key #1022h and the service code 
#1022h as' described with reference to Figs. 16 and 17. 
Accordingly, it is necessary to gain these information 
frorrUhe;manger B2. 

[021 4] However, the service key #1 022h known by the 
manager B2 is not known by even the manager A serv- 
ing as the parent of the manager B2, and thus it is un- 
favorable from the viewpoint of security that the service 
key #1022h which is allowed to be known by only the 
manager B2 is informed to the manager C. 
[0215] In this case, even when the security problem 
is neglected, in order for the manager C to access both 
the two service areas managed by the service defining 
area #030Ch or #1022h respectively, it is necessary to 
carry out the processing shown in Fig. 1 7 in the IC card 
2 to generate the first access key K bc and the second 
access key K ac and perform mutual certification for an 
access to the service area managed by the service de- 
fining area #030Ch, and also carry out the processing 
shown in Fig. 1 9 to generate the first access key 
and the second access key K ac and perform mutual cer- 
tification for an access to the service area managed by 
the service defining area #1022h. 
[0216] Accordingly, when the mutual certification for 
an access to a service area is carried out every service 
area, it is difficult to access the service area quickly. As 
a result, when the card system of Fig. 3 is applied to the 
examination of tickets in a station, it is difficult to access 



a predetermined service area of the IC card 2 and write 
or read data during a relatively short period in which a 
commuter passes through a gate provided at a ticket 
barrier. 

5 [0217] Therefore, in a case where the manager C sup- 
plies not only services using the service area managed 
. by the service defining area #030Ch thereof, but also 
services using the service area managed by the service 
defining area #1022h of the manager B2, in order to 

io solve the security problem and ensure a quick access 
to the service area, information delivery as shown in Fig. 
20 is carried out between the managers C and B2 and 
registered into the service supply machine 111. 
[0218] That is : the manager C encrypts the service 

'5 key #030Ch stored in the service defining area #030Ch 
on the basis of the area intermediate key Kq as in the 
case of Fig. 1 8 to generate the service intermediate key 
K #030Ch- Further, the manager C delivers the service in- 
termediate key K^jjoch to the manager B2 to encrypt it 

20 on the basis of the service key #1 022h. The manager C 
receives the service intermediate key K #1022h . which is 
an encryption result of the service intermediate key 
K#030Ch on the basis of the service key #1 022h, together 
with the service code #1022h. 

25 [0219] Accordingly, only the service intermediate 
keys K #030Ch and K #1022h , are delivered between the 
managers C and B2, and there is neither a case where 
the service key #030Ch which is known by only the man- 
ager C is known by the manager B2, nor a case where 

30 the service key #1 022h which is known by only the man- 
ager B2 is known by the manager C. That is, there is no 
problem in security. 

[0220] The manager C which receives the service in- 
termediate key K #l022 h. and the service code #1022h 

3$ from the manager B2 registers into the service supply 
machine 111 the area codes of the area defining areas 
in upper layers above the layer of the area defining area 
#0300h thereof, that is, in this case, the area code 
#0000h of the area defining area #0000h of the manager 

40 a, the area code 01 OOh of the area defining area #0100h 
of the manager B1 and the area code #0300h of the area 
defining area #0300h of the manager C. Further, the 
manager C registers into the service supply machine 
111 the are intermediate key and the service code 

45 #030ch of the service defining area #030Ch formed in 
the layer of the area defining area #0300h. 
[0221] In this case, when the service supply machine 
111 is inserted into the IC card 2, the following mutual 
certification is carried out between the service supply 

50 machine 111 and the IC card 2. 

[0222] That is, as shown in Fig. 21 , the service supply 
machine 111 transmits to the IC card 2 the registered 
area codes #0000h, #01 OOh and #0300h and the serv- 
ice codes #030Ch and #1022h. In the IC card 2 (se- 

ss quencer 91), the area codes #0000h, #0l00h and 
#0300h and the service codes #030Ch and #1 022h are 
received from the service supply machine 111. 
[0223] In the IC card 2, the system key stored in the 
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system defining block (Fig. 6) is read out, and the area 
key #0000h, #0l00h or #0300h is read out from the area 
defining area having the area code #0000h, #0100h or 
#0300h which is received from the service supply device 
111, and the same key as the area intermediate key Kc 
registered in the service supply machine 111 of Fig. 20 
is generated as in the case of Fig. 1 9. The same key as 
the area intermediate key Kc is set as a first access key 
K bc used for certification. 

[0224] In the IC card 2, the service key #030Ch or 
#1 022h is read out from the service defining area having 
the service code #030Ch or #1022h respectively which 
is received from the service supply machine 111. The 
area intermediate key Kc in encrypted on the basis of 
the service key #030ch and as a result the same key as 
the service intermediate key K #030Ch is generated. Fur- 
ther, the same key as the service intermediate key 
K #030Ch is encrypted on the basis of the service key 
#1022h, and the same key as the service intermediate 
kev K #i022h registered in the service supply machine 
1 11 of Fig. 20 is generated. The same key as the service 
intermediate key K #1022 h. is set as a second access key 
K ac used for certification. 

[0225] Accordingly, in the above case, the area inter- 
mediate key Kc or the service intermediate key K #1022h , 
which is the first access key K^ or the second access 
key K ac is registered in the service supply machine 111, 
and the area intermediate key Kc or the service inter- 
mediate key K #1022h . which is the first access key K^ 
or the second access key K ac is generated in the IC card 
2. 

[0226] The mutual certification is carried out between 
the IC card 2 and the service supply machine 111 as in 
the case of Figs. 14 and 15. 

[0227] As a result of the mutual certification, if both 
the IC card 2 and the service supply machine 111 are 
judged to be proper, an access to only the service area 
managed by the service defining area having the service 
code transmitted from the service supply machine 111 
is permitted in the IC card 2. Accordingly, in the case of 
Figs. 20 and 21 , the access to the service area managed 
by the service defining area #030Ch and the service ar- 
ea managed by the service defining area #1022Ch is 
permitted. 

[0228] As described above, by encrypting the system 
key on the basis of the two or more area keys or service 
keys, the two or more area keys or service keys are de- 
generated (composed) into the two keys of the first ac- 
cess key K bc and the second access key K ac , and the 
mutual certification to permit the access to the service 
area managed by the service defining area having the 
service code transmitted from the service supply ma- 
chine 111 is performed by using the first access key K^ 
and the second access key K^. Therefore, even when 
the access to plural service defining areas is targeted, 
the mutual certification can be completed in a short time, 
thereby ensuring the quick access to the service area. 
[0229] In the case of Figs. 14 and 15, the mutual cer- 



tification processing is performed by using the two keys 
of the first access key K bc and the second access key 
K ac however, it is possible to perform the mutual certi- 
fication processing by using only the second access key 
5 K ac , for example. In this case, in the IC card 2 the two 
or more area keys or service keys are degenerated into 
one second access key K ac by encrypting the system 
key on the basis of two or more area keys or service 
keys. 

10 [0230] Further, as shown in Fig. 22, it is possible to 
use an encryption result obtained by encrypting the first 
access key K^ and the second access key K ac for ex- 
ample, on the basis of a manufacturing ID which is 
stored in the manufacturing ID block and is an inherent 

'5 value to the IC card 2. Here, in Fig. 22, with respect to 
the first access key K bc , the encryption is carried out by 
subjecting the first access key K^ and the manufactur- 
ing ID to EXOR. With respect to the second access key 
K ac , the encryption based on DES system is performed. 

20 With respect to the second access key K ac , the encryp- 
tion based on the DES system may be performed by 
using the EXOR result of the first access key K^ and 
the manufacturing ID as a key. 
[0231] As described above, when the encryption re- 

2S suit obtained by encrypting the first access key K^ and 
the second access key K ac is used for the mutual certi- 
fication, the security can be more enhanced. In this 
case, the manufacturing ID is needed in the service sup- 
ply machine 111, and it may be transmitted from the IC 

30 card 2. 

[0232] Next, the storage area of EE PROM 66 has a 
layered structure in which the area defining are is lay- 
ered, and each area defining area and each service de- 
fining area are designed to store an area key and a serv- 
es jce key for certification. As a result, the following access 
control having flexibility can be performed. 
[0233] That is, when a manager serves as a parent 
manager and wishes to stop a service supply by a child 
manager to which a resource of the parent manager is 
40 shared because the child manager makes an unjust 
service, the parent manager can prohibit the child man- 
ager from accessing the IC card 2 by altering the area 
key stored in the area defining area. 
[0234] Specifically, for example when the manager B1 
45 stops the service supply of the manager C in Fig. 7, the 
manager B1 alters the area key #0100h stored in the 
area defining area #0100h of the IC card 2. In this case, 
the area intermediate key K B1 formed in the IC card 2, 
and further the area intermediate key are also altered 
so in Fig. 1 9, so that the manager C which knows only the 
area intermediate key Kc before the alteration cannot 
access the service defining area #030Ch. 
[0235] The manager A which is the parent manager 
of the manager B1 serving as the parent manager of the 
55 manager C may alter the area key #0000h stored in the 
area defining area #0000h to prohibit the access to the 
service defining area #030Ch. However, in this case, the 
manager B2 which is a child of the manager A cannot 
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access the service area managed by the service defin- 
ing area #1022h of the manager B2. That is, when a 
manager alters the area key thereof, it is impossible to 
access service defining areas managed by area defin- 
ing areas in layers (child layer, grandchild layer, ...) of s 
the area defining area corresponding to the area key. 
[0236] In Figs. 20 and 21, the manager C uses (the 
service area managed by) the service defining area 
#1022h of the manager B2 commonly to the manager 
B2. However, more complicated common use of the 
service defining area is possible between managers for 
some types of key management. 
[0237] Specifically, for example, it is assumed that a 
layer structure shown in Fig. 23 is constructed in EEP- 
ROM 66. That is, in Fig. 23, an area defining area 
#5000h of a manager E and an area defining area 
#7000h of a manager G are formed as child layers of 
the layer of the area defining area #0000h of the man- 
ager A serving as an issuer of the IC card 2. Further, 
service defining areas #5008h, #5048h. #5088h and 
#50C8h are formed in the layer of the area defining area 
#5000h of the manager E, and an area defining area 
#6000h of a manager F is formed. 
[0238] Further, service defining areas #6008h and 
#6048h are formed in the layer of the area defining area 
#6000h of the manager F : and service defining areas 
#7008h and #70C8h are formed in the layer of the area 
defining area #7000h of the manager G. 
[0239] Hn the above-mentioned layer structure, the 
manager A encrypts the system key on the basis of the 
area key #0000h as shown in (A) of Fig.24, and delivers 
the encryption result to the managers E and G serving 
as the child managers. 

[0240] -.- As shown in (B) of Fig. 24, the manager E en- 
crypts, on the basis of the area key #5000h, the encryp- 
tion result of the system key on the basis of the area key 
#0000h from the manager A, and uses the encryption 
result as a first access key K E1 . Further, the manager E 
encrypts the first access key K E1 (the encryption result 
based on the area key #5000h) successively on the ba- 
sis of each of the service keys #5008h, #5048h, #5088h 
and #50C8h, and uses the final encryption result as a 
second access key K E2 . 

[0241] As shown in (C) Fig. 24, the manager F is sup- 
plied with the first access key K E1 (the encryption result 
based on the area key #5000h) from the manager E, 
encrypts it on the basis of the area key #6000h, and sets 
the encryption result as a first access key K F1 . Further, 
the manager F encrypts the first access key K F1 (the 
encryption result based on the area key #6000h) suc- 
cessively on the basis of each of the service keys 
#6008h and #6048h, and delivers the encryption result 
to the manager E to encrypt it successively on the basis 
of each of the service keys #5048h and #5088h. There- 
after, the manager F is supplied with the encryption re- 
sult from the manager E and delivers it to the manager 
G to encrypt it on the basis of the service key #70C8h. 
The manager F is supplied with the encryption result 



from the manager G, and uses it as a second access 
key K^. 

[0242] As show in (D) of Fig. 24, the manager G en- 
crypts the encryption result of the system key based on 
the area key #0000h from the manager A on the basis 
of the area key #7000h, and uses the encryption result 
as a first access key K G1 . Further, the manager G en- 
crypts the first access key (the encryption result 
based on the are key #7000h) successively on the basis 
of each of the service keys #7008h and #70C8h, and 
delivers the final encryption result to the manager F to 
encrypt it on the basis of the service key #6048h. There- 
after, the manager G delivers to the manager E the en- 
cryption result using the service key #6048 by the man- 
ager F to encrypt the encryption result successively on 
the basis of each of the service keys #5088h and 
#50C8h. The manager G is supplied with the encryption 
result from the manager E and uses it as a second ac- 
cess key Kq 2 - 

[0243] In this case, in the IC card 2, the system key is 
encrypted by using the area key and the service key 
stored in EEPROM 66 according to the same procedure 
as the case of Fig. 24 to generate the first access key 
and the second access key, whereby the common use 
of the service defining area as shown in Fig. 25 can be 
mutually performed among the managers E : F and G. 
[0244] That is, the manager E can access only the 
service defining areas #5008, #5048h, #5088h and 
#50C8h thereof. The manager F can access not only 
the service defining areas #6008h and #6048h thereof, 
but also the service defining areas #5048h and #5088h 
of the manager E and the service defining area #70C8h 
of the manager G. The manager G can access not only 
the service defining areas #7008h and #70C8h thereof, 
but also the service defining areas #5088h and #50C8h 
of the manager E and the service defining area #6048h 
of the manager F. 

[0245] In the key delivery as shown in Fig. 24, there 
is no case where the service key itself of a manager is 
known by another manager. That is, the service keys 
#50008h, #5048h, #5088h and, #50C8h of the manager 
E are never known not only by the parent manager A, 
but also by the managers F and G. Likewise, the service 
keys #6008h and #6048h of the manager F are never 
known by the managers E and G, and the service keys 
#7008h and #70C8h of the manager G are never known 
by the managers E and F. 

[0246] Further, as described above, when some man- 
ager alters its area key, it is impossible to access to all 
the service defining areas managed by the area defining 
area of the layer in the layer of the area defining area, 
that is, when the parent manager alters the area key, 
the child managers cannot access the IC card 2. How- 
ever, in accordance with a specific key management 
method, an access of a specific child manager can be 
prohibited. 

[0247] Specifically, for example, it is assumed that a 
layer structure as shown in Fig. 26 is constructed in 
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EEPROM 66. That is, in Fig. 26, an area defining area 
#8000h of a manager H, an area defining area #9000h 
of a manager I and an area defining area #AO00h of a 
manager J are formed as child layers of the layer of the 
area defining area #0000h of the manager A serving as s 
the issuer of the IC card 2. Further, service defining ar- 
eas #8008h, #8104h and #8105h are formed in the layer 
of the area defining area #8000h of the manager H. 
[0248] In the above layer structure, as shown in (A) of 
Fig. 27, the manager A encrypts the system key on the 10 
basis of the area key #0000h and delivers the encryption 
result to the managers I and J serving as child managers 
thereof. 

[0249] As shown in (C) of Fig. 27, the manager I en- 
crypts the encryption result of the system key based on 1$ 
the area key #0000h from the manager A on the basis 
of the area key #9000h, and use the encryption result 
as a first access key K M . Further, the manager I delivers 
the first access key K h (the encryption result based on 
the area key #9000h) to the manager H to encrypt it sue- 20 
cessively on the basis of each of the service keys 
#8008h and #B104h as shown in (B) of Fig. 27. Then, 
the manager I uses the encryption result as a second 
access key K, 2 as shown in (C) of Fig. 27. 
[0250] As shown in (D) of Fig. 27, the manager J en- 2s 
crypts the encryption result of the system key based on 
the area key #0000h from the manager A on the basis 
of the area key #A000h, and uses the encryption result 
as a first access key K JV Further, the manager J delivers 
the first access key (the encryption result based on 30 
the area key #A000h) to the manager H to encrypt the 
encryption result successively on the basis of each of 
the service keys #8008h and #8105h as shown in (B) of 
Fig. 27. The manager J uses the encryption result as a 
second access key K J2 as shown in (D) of Fig. 27. 35 
[0251] In this case, in the IC card 2, the system key is 
encrypted by using the area key and the service key 
stored in EEPROM 66 according to the same procedure 
as the case of Fig. 27 to generate the first access key 
and the second access key, whereby the manager I can <o 
access the service defining areas #8008h and #8104h 
of the manager H and the manager J can access the 
service defining areas #8008h and #8105h of the man- 
ager H. 

[0252] The manager H forms the service defining area *s 
#8008h so as to commonly use the data thereof be- 
tween the managers I and J, and forms the service de- 
fining area #8104h or #8105h as a so-called dummy 
service defining area to control the access to the service 
defining area #8008h by each of the manager I or J. Ac- so 
cordingly, the service areas managed by the service de- 
fining areas #81 04h and #81 05H are not necessary, and 
the capacity thereof may be equal to zero. 
[0253] In this case, for example when the manager H 
alters the service key #8104h, the manager I in which ss 
the second access key K e is generated by using the 
service key #81 04h to perform the certification process- 
ing in the IC card 2 cannot access the service defining 



area #8008h. That is, only the access to the service de- 
fining area #8008h by the manager I is prohibited. On 
the other hand, for example when the manager H alters 
the service key #8105h, the manager J in which the sec- 
ond access key K J2 is generated by using the service 
key #8105h to perform the certification processing in the 
IC card 2 cannot access the service defining area 
#8008h. That is, only the access to the service defining 
area #8008h by the manager J is prohibited. 
[0254] As described above, a specific child manager 
can be prohibited from accessing by using a dummy 
service defining area. 

[0255] Next, when the registered card issuing ma- 
chine 101 is disposed at a station, a retail store or other 
non-safe places in the case where management infor- 
mation (hereinafter referred to as registered card issu- 
ing information) to manage user blocks such as the code 
range, the allocation block number, the area key, the 
service key, etc. which are needed for the manager to 
form the area defining area and the service defining area 
as described with reference to Fig. 8 is registered in the 
registered card issuing machine 101 and the registered 
card issuing work is carried out, the probability that an 
unfair practice such as tapping, tampering or the like is 
carried out is high, and thus it is unfavorable in security 
management. 

[0256] Therefore, in this case, as shown in Fig. 28, a 
manager which will form an area defining area and a 
service defining area (hereinafter referred to as a regis- 
tered card issuing dealer) encrypts the registered card 
issuing information and transmits the encrypted regis- 
tered card issuing information to the registered card is- 
suing machine 101 through a transmission medium 121 
such as a public line, Internet, ground wave, a satellite 
line, a CATV (Cable Television) network or the like to 
register the information into the registered card issuing 
machine 101. In the registered card issuing machine 
101, the encrypted registered card issuing information 
is transmitted to the IC card 2, and in the IC card 2 the 
encrypted registered card issuing information is decod- 
ed to form the area defining area and the service defin- 
ing area. 

[0257] Here, Fig. 28 shows a state where a storage 
area to supply services by a manager #2 is constructed 
as described above on an I C card 2 in which only a stor- 
age area to supply services by a manager #1 is con- 
structed (a state where the registered card issuing work 
is carried out). 

[0258] Next, Fig. 29 shows the construction of an em- 
bodiment of a registered card issuing processing sys- 
tem for performing the above registered card issuing 
work. 

[0259] A registered card issuing information supply 
apparatus 1 31 transmits registered card issuing infor- 
mation (hereinafter referred to as encrypted registered 
card issuing information) through a transmission medi- 
um 121 to the registered card issuing machine 101 by 
performing the registered card issuing information sup- 
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ply processing described later. The registered card is- 
suing machine 1 01 receives and registers the encrypted 
registered card issuing information from the registered 
card issuing information supply apparatus 131. When 
the IC card 2 is inserted into the registered card issuing s 
machine 101, the registered car issuing machine 101 
transmits the encrypted registered card issuing informa- 
tion to the IC card 2. The I C card 2 receives the encrypt- 
ed registered card issuing information from the regis- 
tered card issuing machine 101 and performs the de- 
coding processing described later to decode the en- 
crypted registered card issuing information to the origi- 
nal registered card issuing information. Thereafter, the 
IC card 2 performs the above area forming processing 
(Fig. 9) or service forming processing (Fig. 10) to form 
the area defining area or the service defining area on 
the basis of the decoded registered card issuing infor- 
mation. 

[0260] Next, the registered card issuing information 
supply processing carried out by the registered card is- 
suing information supply apparatus 131 will be de- 
scribed with reference to the flowchart of Fig. 30. 
[0261 ] The registered card issuing information supply 
apparatus 1 31 is supplied with a code range, an alloca- 
tion block number and an area key needed to form an 
area defining area or a service code, an allocation block 
number and a service key needed to form a service de- 
fining area. Jn step S21, the registered card issuing in- 
formatiomisformed on the basis of these input informa- 
tion. 

[0262] That is, when the code range, the allocation 
number and the area key needed to form the area de- 
fining area are input, these data are associated with 
each other.to form the registered card issuing informa- 
tion. When the service code, the allocation number and 
the service key needed to form the service defining area 
are input, these data are associated with each other to 
form the registered card issuing information. 
[0263] The processing goes to step S22 to operate an 
error correction code for the registered card issuing in- 
formation formed in step S21, and the operation result 
is contained as a check code for checking tampering in 
the registered card issuing information. 
[0264] Thereafter, the registered card issuing infor- 
mation is encrypted in step S23. That is, in step S23, 
the registered card issuing information is encrypted on 
the basis of the area key of the area defining area of the 
parent layer of an area defining area or service defining 
area to be formed on the basis of the registered card 
issuing information, and it is set as encrypted registered 
card issuing information. 

[0265] Thereafter, the processing goes to step S24 to 
add an identification code (when the encrypted regis- 
tered card issuing information is used to form an area 
defining area, the identification code is the area code of 
the area defining area concerned, and when it is used 
to form a service defining area, the identification code 
is the service code thereof) as a header to the encrypted 



registered card issuing information, and the identifica- 
tion code is transmitted through the transmission medi- 
um 121 to the registered card issuing machine 101. 
thereafter completing the registered card issuing infor- 
mation supply processing. 

[0266] Accordingly, for example when the parent 
manager A forms the area defining area #0100h of the 
child manager B1 in Fig. 7, the encrypted registered 
card issuing information as shown in (A) of Fig. 31 is 
transmitted from the registered card issuing information 
supply apparatus 1 31 . That is, the area code #0100h of 
the area defining area #0100h is disposed as a header 
at the head of the encrypted registered card issuing in- 
formation of (A) of Fig. 31 . The area code #0100h is not 
encrypted in the IC card 2 because it is used to recog- 
nize the parent layer. Further, the area code #0100h is 
recognized on the basis of the code range of the input 
information in the registered card issuing information 
supply apparatus 1 31 . This is because according to this 
embodiment the minimum value of the code range of 
the area defining area is set as an area code and thus 
the area code can be recognized on the basis of the 
code range as described above. 
[0267] A code range from #0100h to #03FFh to be 
stored in the area defining area #0l00h, an allocation 
block number 33, aOaOaOaOaOaOaOaO as the area key 
#0l00h and a check code are successively disposed 
subsequently to the non-encrypted area code #0100h 
as a header. These are encrypted (illustrated as being 
shadowed in Fig. 31(A)) on the basis of 
01 23456789abcdef as the area key #0000h of the area 
defining area #0000h serving as the parent layer. 
[0268] When the manager B2 forms the service de- 
fining area #1022h thereof in Fig. 7, the encrypted reg- 
istered card issuing information as shown in (B) of Fig. 
31 is transmitted from the registered card issuing infor- 
mation supply apparatus 1 31 . That is, the service code 
#1022h of the service defining area #1022h is disposed 
as a header at the head of the encrypted registered card 
issuing information of (B) of Fig. 31. The service code 
#1022h is not encrypted in the IC card 2 because it is 
used to recognize the parent layer (the layer to which 
the service defining area belongs). 
[0269] The service code #1022h to be stored in the 
service defining area #1022h, an allocation block 
number 5, 0303030303030303 as the area key #1022h 
and a check code are successively disposed subse- 
quently to the non-encrypted service code #1022h as a 
header. These are encrypted (illustrated as being shad- 
owed in (B) of Fig. 31) on the basis of 
cOcOcOcOcOcOcOcO as the area key #1000h of the area 
defining area #1000h serving as the parent layer. 
[0270] Since the registered card issuing information 
is encrypted on the basis of the area key of the parent 
layer as described above, the content of the registered 
card issuing information cannot be known insofar as the 
area key thereof is known. Accordingly, even when the 
encrypted registered card issuing information as de- 
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scribed above is transmitted to a non-safe place, leak- 
age of the content thereof can be prevented. As a result, 
it is possible to distribute the encrypted registered card 
issuing information and request the third party to register 
it into the registered card issuing machine 1 01 or trans- s 
mit it to the IC card 2. 

[0271] In this case, the registered card issuing infor- 
mation is encrypted on the basis of the area key of the 
parent layer, and thus it is basically favorable that the 
registered card issuing information supply processing is io 
performed under the control of its parent manager. That 
is, when the registered card issuing information supply 
processing is carried out by a third party, the area key 
of the parent layer used for the encryption m ust be made 
publicly open to the third party, and this is unfavorable is 
in security. Therefore, the registered card issuing infor- 
mation supply processing is favorably performed under 
the control of the parent manager. 
[0272] Next, the decoding processing carried out by 
the IC card 2 will be described with reference to the flow- 20 
chart of Fig. 32. 

[0273] When the encrypted registered card issuing in- 
formation is transmitted from the registered card issuing 
information supply apparatus 1 31 as described above, 
the registered card issuing machine 101 receives and 2S 
registers the encrypted registered card issuing informa- 
tion. When the IC card 2 is inserted, the registered card 
issuing machine 101 transmits the encrypted registered 
card issuing information to the IC card 2. The IC card 2 
receives the encrypted registered card issuing informa- 30 
tion from the registered card issuing machine 101 to rec- 
ognize the area defining area as the parent layer of an 
area defining area or service defining area to be formed 
on the basis of the encrypted registered card issuing in- 
formation in step S31 . 35 
[0274] That is, in step S31 , the area code or service 
code of the area defining area or service defining area 
to be formed is recognized by referring to the header of 
the encrypted registered card issuing information. In 
step S31 , the area defining area containing the area 40 
code or service code thus recognized in the code range 
is detected from EEPROM 66, and the area defining ar- 
ea is recognized as the parent layer. 
[0275] The processing goes to step S32 to decode the 
encrypted registered card issuing information on the ba- 45 
sis of the area key stored in the area defining area of 
the parent layer recognized in step S31, and then the 
processing goes to step S33. In step S33, it is judged 
on the basis of the check code contained in the decoded 
registered card issuing information whether the regis- so 
teredcard issuing information has been tampered. If in 
step S33 it is judged that the registered card issuing in- 
formation has been tampered, the processing goes to 
step S34 to transmit to the registered card issuing ma- 
chine 1 01 a message indicating that the registered card ss 
issuing information has been tampered, and perform er- 
ror processing of discarding the decoded registered 
card issuing information or the like, thereby completing 



the decoding processing. In this case, the decoding 
processing is abnormally finished, and the area defining 
area or the service defining area is not formed. 
[0276] On the other hand, if it is judged in step S33 
that the registered card issuing information has not been 
tampered, the decoding processing is finished. In this 
case, the decoding processing is normally finished, and 
then the processing of storing the registered card issu- 
ing information thus decoded into EEPROM 66, that is, 
the area forming processing (Fig. 9) of forming the area 
defining area or service defining area or the service 
forming processing (Fig. 10) is carried out. 
[0277] The chick as to the tampering of the registered 
card issuing information may be carried out by using the 
header of the encrypted registered card issuing infor- 
mation in place of the check code. That is, if the encrypt- 
ed registered card issuing information is used to form 
the area defining area, the area code is disposed at the 
header thereof as shown in Fig. 31(A), and the area 
code may be coincident with the minimum value of the 
encrypted code range disposed subsequent to the area 
code. Accordingly, the tampering or non-tampering of 
the encrypted registered card issuing information can 
be checked by comparing the area code disposed at the 
header with the minimum value of the code range dis- 
posed subsequent to the area code. Further, if the en- 
crypted registered card issuing information is used to 
form the service defining area, as shown in Fig. 31(B), 
the service code is disposed at the header, and the serv- 
ice code may be coincident with the encrypted service 
code disposed subsequently to the service code. Ac- 
cordingly, the tampering or non-tampering of the en- 
crypted registered card issuing information can be 
checked by comparing the service code disposed at the 
header with the service code disposed subsequently to 
the service code. 

[0278] As described above, in the registered card is- 
suing information supply apparatus 131, the registered 
card issuing information is encrypted to obtain the en- 
crypted registered card issuing information, and the en- 
crypted registered card issuing information is decoded 
in the IC card 2. Therefore, even when the registered 
card issuing machine 101 is disposed at a non-safe 
place to transmit through the transmission medium 1 21 , 
an unfair practice such as tapping, tampering or the like 
can be prevented. 

[0279] As a result, when a registered card issuing 
work is carried out to start supply of a new service by 
using the IC card 2, it is unnecessary to withdraw the IC 
card 2, and thus the cost needed to the withdrawal can 
be reduced. Further, from a position of a user of the IC 
card 2, when the supply of a new service is started, the 
user may bring the IC card 2 to a place at which the 
registered card issuing machine 101 is set and perform 
the registered card issuing work without being with- 
drawn the IC card 2, whereby the user can be immedi- 
ately supplied with the new service. 
[0280] In the foregoing description, the present inven- 
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tion is applied to a non-contact card system in which the 
communication is performed under a contactless state. 
However, the present invention may be applied to a card 
system in which the communcat-on is performed under 
a contact state. Further, the application range of the 
present invention is not limited to the care system 
[0281] In this embodiment the ccrtil cat>on is corned 
out by a so-called secrete key system however «i may 
be performed by a so-called open-public key system 
[0282] In this embodiment when :ho sc-vico defining 
area of the layer of an area ochmng area is accessed, 
the first access key is generated by successively using 
the area keys of the area deftnmc areas on the bus from 
the layer of the area defining aroa to the uppermost lay- 
er, however, the generation method ol the first access 
key is not limited to the above manner Further, accord- 
ing to this embodiment, the second access key is gen- 
erated by successively using the service keys of the 
service defining area to be accessed. However, the gen- 
eration method of the second access key is not limited 
to the above manner. That is, the first access key and 
the second access key can be generated by successive- 
ly using any two or more area keys or service keys. 
[0283] Further, in this embodiment, each of the user 
block and the system btock is stored in EEPROM 66 
which is one memory. However, the user block and the 
system block: may be stored in physically different mem- 
ories. 

[0284] In this embodiment, data are stored in EEP- 
ROM, however, the data may be stored in a semicon- 
ductor memory, a magnetic disc or the like other than 
EEPROM, ■• 

[0285] In this embodiment, the registered card issuing 
information is*encrypted on the basis of the area key in 
the area defining area of the parent layer in the regis- 
tered card issuing information supply processing. How- 
ever, the key used for the encryption of the registered 
card issuing information is not limited to the area key of 
the parent layer. However, since it is necessary to de- 
code the encrypted registered card issuing information, 
the key used for the encryption of the registered card 
issuing information must be stored in the IC card 2. Ac- 
cordingly, when the area key of the parent layer is used 
to encrypt the registered card issuing information, the 
area key of the parent layer has been already stored in 
the IC card 2, and thus a key used to decode (encrypt) 
the registered card issuing information is not required to 
be stored in the IC card 2 in addition to the key of the 
parent layer. 

[0286] Further, in this embodiment, the storage area 
of EEPROM 66 is managed while it is designed in the 
layer structure. However, the present invention may be 
applied to a case where the storage area of EEPROM 
66 is not managed in the layer structure. 
[0287] Still further, in this embodiment, the encrypted 
registered card issuing information is transmitted 
through the transmission medium 121 to the registered 
card issuing machine 101 to be registered into the reg- 



istered card issuing machine 101 . However, the encrypt- 
ed registered card issuing information may be stored in 
a recording medium (storage medium) such as a mag- 
netic disc, an magnet optical disc, an optical disc, a 
5 memory card, a magnetic tape or the tike, which will be 
directly brought to the registered card issuing machine 
101 to register the encrypted registered card issuing in- 
formation. 

[0288] According to the information processing de- 
10 vice of the first aspect of the present invention and the 
information processing method of the second aspect of 
the present invention, management information which 
is used to manage a storage area of data storage means 
and contains a key necessary to access the storage ar- 
15 ea is encrypted. Accordingly, the content of the manage- 
ment information can be prevented from leaking to a 
third party. 

[0289] According to the information processing de- 
vice of the third aspect of the present invention and the 
20 information processing method of the fourth aspect of 
the present invention, management information which 
is used to manage a storage area of data storage 
means, contains a key necessary to access the storage 
area and is encrypted is decoded. Accordingly, the con- 
2S tent of the management information can be prevented 
from leaking to a third party. 



Claims 

30 

1. An information processing device for performing 
processing of supplying management information 
to a data storage device including: data storage 
means for storing data to supply predetermined 
35 services; management information storage means 
for storing management information containing a 
key necessary to access a storage area of said data 
storage means; and management means for man- 
aging the storage area of said data storage means 
to on the basis of the management information, char- 
acterized by comprising forming means for forming 
the management information and encrypting means 
for encrypting the management information. 

45 2. The information processing device as claimed in 
claim 1 , further including transmission means for 
transmitting the encrypted management informa- 
tion through a predetermined transmission medium 
to said data storage device. 

so 

3. The information processing device as claimed in 
claim 1 , wherein the management information fur- 
ther contains a storage area identifying code which 
can be allocated to said storage area to be man- 

55 aged and is used to identify said storage area. 

4. The information processing device as claimed in 
claim 1 , wherein the management information fur- 
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ther contains an empty capacity of said storage ar- 
ea to be managed. 

5. The information processing device as claimed in 
claim 1 , further including operation means for oper- s 
ating a check code to check whether the manage- 
ment information has been tampered or not, where- 
in said encrypting means encrypts the check code 
together with the management information. 

10 

6. The information processing device as claimed in 
claim 1, wherein the management information fur- 
ther contains information to manage said storage 
area to be managed while said storage area is de- 
signed in a layer structure. rs 

7. The information processing device as claimed in 
claim 1 , wherein when said storage area to be man- 
aged is managed on the basis of the management 
information while being designed in a layer struc- 20 
ture, said encrypting means encrypts the manage- 
ment information of a lower layer by using the key 
contained in the management information of an up- 
per layer. 

2S 

8. A data storage device including: data storage 
means for storing data to supply predetermined 
services; management information storage means 
for storing management information containing a 
key necessary to access a storage area of said data 30 
storage means; and management means for man- 
aging the storage area of said data storage means 
on the basis of the management information, 
wherein themanagement information is renewed by 
an access from the external. 35 

9. The data storage device as claimed in claim 8, 
wherein the access from the external is carried out 
through a predetermined transmission medium. 

40 

10. The data storage device as claimed in claim 8, fur- 
ther including communication means for performing 
communications with external equipment, wherein 
said management means manages said storage 
means in response "to an instruction from said ex- 45 
ternal equipment. 

11. The data storage device as claimed in claim 10, 
wherein said communication means performs the 
communications with said external equipment in a so 
contact or non-contact state. 

12. The data storage device as claimed in claim 8, 
wherein the management information is supplied 
from an external information processing device. ss 

13. The data storage device as claimed in claim 8, 
wherein the management information further con- 



tains a storage area identifying code which can be 
allocated to said storage area to be managed and 
is used to identify said storage area. 

14. The data storage device as claimed in claim 8, 
wherein the management information further con- 
tains an empty capacity of said storage area to be 
managed. 

15. The data storage device as claimed in claim 8, 
wherein the management information further con- 
tains information to manage said storage area to be 
managed while making said storage area in a layer 
structure. 

16. An information processing card including data stor- 
age means for storing data, management informa- 
tion storage means which serves to manage a stor- 
age area of said data storage means and contains 
a key necessary to access said storage area, and 
management means for managing said data stor- 
age means gn the basis of the management infor- 
mation, characterized by further comprising recep- 
tion means for receiving the encrypted manage- 
ment information from external data storage device, 
decoding means for decoding the encrypted man- 
agement information and storage control means for 
controlling said management information storage 
means so that the management information is 
stored in said management information storage 
means. 

17. The information processing card as claimed in claim 
16, wherein the management information further 
contains a storage area identifying code which can 
be allocated to said storage area to be managed 
and is used to identify said storage area. 

18. The information processing card-as claimed in 
claim 16, wherein the management information fur- 
ther contains an empty capacity of said storage ar- 
ea to be managed. 

1 9. The information processing card as claimed in claim 
16, further including operation means for operating 
a check code to check whether the management 
information has been tampered or not, wherein said 
decoding means decodes the check code together 
with the management information. 

20. The information processing card as claimed in claim 
16, wherein the management information further 
contains information to manage said storage area 
to be managed while designing said storage area 
in a layer structure. 

21 . The information processing card as claimed in claim 
16, further including communication means for per- 
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forming communications with external equipment, 
wherein said management means manages said 
storage means in response to an instruction from 
said external equipment. 

22. The information processing card as claimed in claim 
21 , wherein said communication means performs 
the communications with said external equipment 
in a contact or non -contact state. 

23. The information processing card as claimed in claim 
16, wherein said management means manages a 
storage area of said data storage while designing 
said storage area in a layer structure, and when the 
management information is encrypted by using the 
key contained in the management information of an 
upper layer thereof, said decoding means decodes 
the encrypted management information by using 
the key contained in the management information 
of an upper layer thereof which is stored in said 
management information storage means. 

24. An information processing method for performing 
processing of supplying management information 
to a data storage device having data storage means 
for storing data to supply predetermined services; 
management information storage means for storing 
management information containing a key neces- 
sary to access a storage area of said data storage 
means; and management means for managing the 
storage area of said data storage means on the ba- 
sis of the management information, characterized 
by comprising: 

a forming step of forming the management in- 
formation; and 

an encrypting step of encrypting the manage- 
ment information. 

25. The information processing method as claimed in 
claim 24, further including a transmission step of 
transmitting the encrypted management informa- 
tion through a predetermined medium to said data 
storage device. 

26. The information processing method as claimed in 
claim 24, wherein the management information fur- 
ther contains a storage area identifying code which 
can be allocated to said storage area to be man- 
aged and is used to identify said storage area. 

27. The information processing method as claimed in 
claim 24, wherein the management information fur- 
ther contains an empty capacity of said storage ar- 
ea to be managed. 

28. The information processing method as claimed in 
claim 24, further including operation means of op- 



erating a check code to check whether the manage- 
ment information has been tampered or not, where- 
in said encrypting means encrypts the check code 
as well as the management information. 

29. The information processing method as claimed in 
claim 24, wherein the management information fur- 
ther contains information to manage said storage 
area to be managed while designing said storage 
area in a layer structure. 

30. The information processing method as claimed in 
claim 24, wherein when said storage area to be 
managed is managed on the basis of the manage- 
ment information while designed in a layer struc- 
ture, said encrypting step encrypts the manage- 
ment information of a lower layer by using the key 
contained in the management information of an up- 
per layer thereof. 

31. A data storage method having data storage means 
for storing data to supply a predetermined service, 
management information storage means for storing 
management information containing a key neces- 
sary to access a storage area of said data storage 
means and management means for managing the 
storage area of said data storage means on the ba- 
sis of the management information, wherein the 
management information is renewed by an access 
from the external. 

32. The data storage method as claimed in claim 31 , 
wherein the access from the external is carried out 
through a predetermined transmission medium. 

The data storage method as claimed in claim 31 , 
further including communication means for per- 
forming communications with external equipment, 
wherein said management means manages said 
storage means in response to an instruction from 
said external equipment. 

34. The data storage method as claimed in claim 33, 
wherein said communication means performs the 
communications with said external equipment in a 
contact or non -contact state. 

35. The data storage method as claimed in claim 31 , 
wherein the management information is supplied 
from an external information processing device. 

36. The data storage method as claimed in claim 31 , 
wherein the management information further con- 
tains a storage area identifying code which can be 
allocated to said storage area to be managed and 
is used to identify said storage area. 

37. The data storage method as claimed in claim 31 , 
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wherein the management information further con- 
tains an empty capacity of said storage area to be 
managed 

38. The data storage method as earned m claim 31, 5 
wherein the management information further con- 
tains information to manaqe s*»d storaqc area to be 
managed while designing said storage arc* m a lay- 
er structure. 

10 



15 



20 



25 



30 



35 



40 



45 



SO 



55 



26 



EP 0 973 135 A2 




27 



EP 0 973 135 A2 




28 



EP 0 973 135 A2 




29 



EP0 973 135 A2 




co 



PU 




2 


o 




CO 



CM 



i5 5 

3 O 

go 

LU 
Q 



CO 



, CO 
CNJ 



, CO 
CM 




30 



EP 0 9731 35 A2 



58- 







2 










o 






O 

cc 


cc 

CL 
UJ 










LU 







CC 

1 

LU 
Q_ 

o 




z 

3 
LU 



CO 




cm- 

00 





z 




ac 












*! 


SCIL 
CIR 


o 


o 




2 



8J~ 
/77" 



^ w 



31 



EP 0 973 135 A2 



FIG. 6 
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